# DANGEROUS-CONTENT-PATTERNS.RC # # SPECIFIC VIRUS CONTENT # # This section contains pattern matching filters to catch what is very # likely to be specific virus or trojan content, but not as certain # as the virus filters themselves. # Probable E-Gold Trojan # :0 BH * VIRUSTAG ?? no * -1000^0 * 400^0 ^Dear E-gold user, we receive many complaints concerning unsunctioned taking the money$ * 400^0 ^off the balance of our users recently, thus we earnestly ask you to install the$ * 400^0 ^ - This innovation blocks all known Trojans which let take the money off your account$ * 400^0 ^ - In case of the lost of your money, E-gold *DOES NOT* bear any responsibility if the$ * 400^0 ^ - The installation archivated file of the service-pack is attached to this letter\.$ * 1100^0 ^--[^ ]+$\ Content-Type: application/octet-stream; name=\"e-gold_security\.exe\"$ { SBLOG="A1S-DANGER! Probable E-Gold Trojan (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable Javascript Trojans # :0 BH * VIRUSTAG ?? no * -1000^0 * 1100^0 ^()$ * 600^0 ^THIS IS AN AUTO-GENERATED MESSAGE - PLEASE DO NOT REPLY TO THIS MESSAGE
* 600^0 (^|[^0-9a-z])Home directory: The location of the home directory varies by platform\.
Windows 98([^0-9a-z]|$) { SBLOG="A1S-DANGER! Probable Javascript Trojan (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable RAR Archive Viruses/Trojans # :0 * VIRUSTAG ?? no * B ?? (^|[^0-9a-z])(file)?name( )*=( )*(\")?([0-9a-z][-_0-9a-z]+\.)+rar(\")? * -1000^0 * B ?? 300^0 ^We have a pleasure to inform you, * B ?? 300^0 (^|[^0-9a-z])Western Express Company celebrates([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])loss-free lottery for E-gold users([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])ATTENTION! Only E-gold uses are invited!([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])My camera shootings takes a lot of time([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])my first photosession has ended yesterday([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])you, as usually, the first who will see my photos([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])I there madly beautiful, especially when I oiled([^0-9a-z]|$) * B ?? 1100^0 ^My porn photo, only for you ;\)$ * H ?? 1100^0 ^From: =\?Windows-1251\?B\?RS1Hb2xk\?= $ * B ?? 600^0 ^We are sorry to inform you about unauthorized access([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])in compliance with security reasons we were forced to change([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])Please find enclosed a new generated password([^0-9a-z]|$) * B ?? 600^0 ^[^0-9a-z]*Dear E-gold payment system users![^0-9a-z]*$ * B ?? 300^0 (^|[^0-9a-z])recurred attempts of hackers to access([^0-9a-z]|$) * B ?? 300^0 (^|[^0-9a-z])The program is enclosed to the message([^0-9a-z]|$) * H ?? 500^0 ^Dear E-gold payment system users!$ * H ?? 500^0 ^The recent cases of fraud, unauthorized withdrawal of cash from our clients([^0-9a-z]|$) * H ?? 500^0 ^have to accept our rules and to use this program\.([^0-9a-z]|$) * B ?? 1100^0 ^--[^ ]+$\ Content-Type: text/html; charset=\"us-ascii\"$\ Content-Transfer-Encoding: 7bit$$\ ()[^0-9a-z]*$?[^0-9a-z]*\ ([^0-9a-z]*$?[^0-9a-z]*
)*\ ([^0-9a-z]*$?[^0-9a-z]*)*[^0-9a-z]*$?[^0-9a-z]*\ $$\ --[^ ]+$ { SBLOG="A1S-DANGER! Probable RAR Archive Virus/Trojan (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable Web Trojans # # This appears to be a Javascript attack against web browsers, probably # specifically Internet Explorer. It had no effect on my computer, but # I have a web proxy that disables all but completely innocuous JavaScript. # It tries to get users to accsss the trojan site by claiming that their # credit card has been charged some fairly large sum of money for an # online purchase, usually of electronic equipment. Of course, the user # made no such purchase. The email then directs the user to a web site # via a link that shows on web site in the visible text, and a different # URL (usually to an IP address) in the A HREF link. Nasty. :( # :0 * LEANTAG ?? no * !--.*forwarded message -- * !^forwarded message: * -1000^0 * -200^1 ^[:;#>] * H ?? 800^0 ^From: \"MSN Support, [a-z]+ [a-z]+\" * H ?? -800^0 ^From:.*[0-9a-z](hotmail|microsoft|msn)\.com([^0-9a-z.]|$) * H ?? 800^0 ^Subject:.*[^0-9a-z](Your order \# [0-9]+ has been accepted for the amount [0-9]+(\.[0-9][0-9])?(\$)?)$ * B ?? 400^0 ^Your order \# [0-9]+ has been accepted for the amount [0-9]+(\.[0-9][0-9])?(\$)?
$ * B ?? 400^0 ^Your card will be charged in that amount \.Thank you for your purchase\.

$ * B ?? 400^0 ^You can check the order in your profile\.

$ * B ?? 400^0 ^http://([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?$ * B ?? 1100^0 ^--[^ ]+$\ Content-Location: http://([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?/([^/%]+/)*?[^ ]*(%[0-9a-f][0-9a-f])+$ { SBLOG="A1S-DANGER! Probable Web Trojan (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 * $ ${SBSCORE}^0 * 5^0 { SBSCORE=$= } } # Internet Explorer exploits/trojans # :0 BH * VIRUSTAG ?? no * -1000^0 * 1100^0 (^|[^0-9a-z])http://([0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?\.[0-9][0-9]?[0-9]?|([0-9a-z][-_0-9a-z]+(ÿ|\.|=2E|%2E))+[a-z][a-z][a-z]?[a-z]?):1639/([^0-9a-z]|$) { SBLOG="A1S-DANGER! Probable Internet Explorer Exploit/Trojan (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable BabyBear Virus/Worm # :0 BH * VIRUSTAG ?? no * -1000^0 * 600^0 ^Subject: (File You Requested|Please Confirm)$ * 200^0 ^Dear Sir or Madame, We have detected that you have placed a Order fo$ * 200^0 ^Msn8. Before we start your Service please confirm your order. To confirm$ * 200^0 ^your order please check the attachement. Thanks, Microsoft Corporation$ * 200^0 ^Support$ * 500^0 ^Hey Here is the file you wanted$ { SBLOG="A1S-DANGER! Probable BabyBear Virus/Worm (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable "Bagle" variant # # This catches any email with an attached encrypted ZIP archive file and # puts it # in your ${SPAMFOLDER}. Several versions of the Bagle virus # send themselves as encrypted ZIP files in order to bypass filtering. # :0 B * ! ^Subject:.*${BYPASSWD} * 300^0 ^Argh, i don't like the plaintext :\)$ * 300^0 ^ I don't bite, weah!$ * 300^0 ^You have won!!!$ * 300^0 ^The access is open !!!$ * 500^0 ^See attach\.

$ * 800^0 ^
Note: Use password

to open archive\.
$ * 500^0 ^[0-9][0-9][0-9][0-9][0-9] -- archive password$ * 500^0 ^\.(\.)+btw, (\")?[0-9][0-9][0-9][0-9][0-9](\")? is a password for( )+archive$ * 500^0 ^pass: [0-9][0-9][0-9][0-9][0-9]$ * 500^0 ^password -- [0-9][0-9][0-9][0-9][0-9]$ * 500^0 ^(
)?password:

* 500^0 ^(archive )?password( for archive)?: [0-9][0-9][0-9][0-9][0-9]$ * 500^0 ^For( )+security( )+reasons( )+attached( )+file( )+is( )+password( )+protected\.( )+The( )+\ password( )+is( )+\"[0-9][0-9][0-9][0-9][0-9]"\.$ * 500^0 ^For( )+security( )+purposes( )+the( )+attached( )+file( )+is( )+password( )+protected\.( )+\ Password( )+is( )+\"[0-9][0-9][0-9][0-9][0-9]\"\.$ * 500^0 ^Attached( )+file( )+protected( )+with( )+the( )+password( )+for( )+security( )+\ reasons\.( )+Password( )+is( )+[0-9][0-9][0-9][0-9][0-9]\.$ * 500^0 ^In( )+order( )+to( )+read( )+the( )+attach( )+you( )+have( )+to( )+use( )+the( )+\ following( )+password:( )+[0-9][0-9][0-9][0-9][0-9]\.$ * 600^0 ^Content-Transfer-Encoding: base64$Content-Disposition: attachment; \ (file)?name( )*=( )*(\")?[0-9a-z][-_0-9a-z.]+\.zip(\")?$(.*$)+\ UEsDB * 300^0 (^|[^-_0-9a-z])THAT THINGS STAY BEYOND THE NORMAL LIFE AND COMMON UNDERSTANDING([^a-z0-9.]|\. |\.$|$) * 300^0 (^|[^-_0-9a-z])THE PROBLEM IS THAT PEOPLE DON'T UNDERSTAND SUCH WILD THINGS,([^a-z0-9.]|\. |\.$|$) * 300^0 (^|[^-_0-9a-z])LIKE A MAN DID NEVER UNDERSTAND THE WILD LIFE([^a-z0-9.]|\. |\.$|$) * 300^0 (^|[^-_0-9a-z])-- Author of Bagle([^a-z0-9.]|\. |\.$|$) * 500^0 ^Here( )+is( )+the( )+file( )*\.( )*
( )*
$ * 1100^0 ^
Password:

$ * 600^0 ^
Archive( )+password:( )+

( )*
( )*$ * 1100^0 ^----------[a-z]+$\ Content-Type: text/html; charset=\"us-ascii\"$\ Content-Transfer-Encoding: 7bit$$\ ()$(.*$)+$$\ ----------[a-z]+$\ Content-Type: image/jpeg; name=\"[0-9a-z][-_0-9a-z]+\.(gif|jpe?g)\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.(gif|jpe?g)\"$\ Content-ID: <[0-9a-z][-_0-9a-z]+\.(gif|jpe?g)>$$(.*$)+$$\ ----------[a-z]+$\ Content-Type: application/octet-stream; name=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\" * 1100^0 ^----------[a-z]+$\ Content-Type: text/html; charset=\"us-ascii\"$\ Content-Transfer-Encoding: 7bit$$\ ()$(.*$)+$$\ ----------[a-z]+$\ Content-Type: application/octet-stream; name=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment; filename=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|scr|vbs|zip)\" { SBLOG="A1S-DANGER! Probable Bagle Virus/Worm Variant (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { DANGEROUS=yes } :0 { SPAMTAG=yes } } # Probable Duksten Worm # :0 BH * VIRUSTAG ?? no * -1000^0 * 500^0 ^From: \"ISP_Tecnico\"< skudo@iris\.es > * 200^0 ^From:$ * 500^0 ^Subject: NetsKudo([^a-z0-9.]|\. |\.$|$) * 500^0 ^Subject: ProTeccion TOTAL contra W32/Bugbear $30dias$([^a-z0-9.]|\. |\.$|$) * 500^0 (^|[^-_0-9a-z])(protect|skudo)(\.|=2E)zip([^a-z0-9.]|\. |\.$|$) { SBLOG="A1S-DANGER! Probable Duksten Virus/Worm (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable Dumador Virus/Worm Variant # :0 * VIRUSTAG ?? no * -1000^0 * 800^0 ^Vrey improtant( ) * 800^0 ^Vrey improtnat( ) * 800^0 ^Your pass(word)? is [0-9a-z]+$ * 300^0 ^------=_NextPart_[^ ]+$\ Content-Type: application/zip;$\ [^0-9a-z]*name=\"([0-9a-z][-_0-9a-z]+\.)+zip\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment;$\ [^0-9a-z]*filename=\"([0-9a-z][-_0-9a-z]+\.)+zip\"$$\ UEsDB { SBLOG="A1S-DANGER! Probable Dumador Virus Variant (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { VIRUSTAG=yes } :0 { DANGEROUS=yes } } # Probable Extreme-DM Trojan # :0 BH * -1000^0 * 1100^0 ^(- )?--[-_0-9a-z\.=+/]+$Content-Disposition: (attachment|inline);?( |$)[^-_0-9a-z]*filename:=.?extreme-dm\.com.?$ * 1100^0 ^(- )?--[-_0-9a-z\.=+/]+$Content-Type: application/[-_0-9a-z]+;?( |$)[^-_0-9a-z]*name:=.?extreme-dm\.com.?$ { SBLOG="A1S-DANGER! Probable Extreme-dm.com Trojan (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable Gruel Worm # LOCALTAG=no :0 * VIRUSTAG ?? no * ^From:.*\"(Microsoft|MS)( [ a-z]+)?\" * ! ^From:.*[^-_0-9a-z]microsoft\.com([^a-z0-9.]|\. |\.$|$) * ^Subject: (Newest )?(Network )?Security (Pack|Patch|Update)$ { LOCALTAG=yes } :0 * VIRUSTAG ?? no * ! LOCALTAG ?? yes { :0 BH * ! --.*forwarded message -- * ! ^forwarded message: * -1000^0 * 500^0 ^Subject: (Internet Security Patch|\ Network Security Pack|\ Newest Security Update|\ Symantec: New serious virus found) * 200^0 ^Norton Security Response: has detected a new virus in the Internet\. For this$ * 200^0 ^reason we made this tool attachement, to protect your computer from this$ * 200^0 ^serious virus\. Due to the number of submissions received from customers,$ * 200^0 ^Symantec Security Response has upgraded this threat to a Category 5 $Maximum.?$\.$ * 200^0 ^Norton Security Response: has detected a new virus in the Internet. For this$ * 200^0 ^\"July 2003, Cumulative Patch\" update which eliminates$ * 200^0 ^all known security vulnerabilities affecting Internet Explorer,$ * 200^0 ^Outlook and Outlook Express as well as five newly$ * 200^0 ^an attacker to run executable on your system. This update includes$ * 200^0 ^Content-Type: application/x-zip-compressed; name=.?Rundll32\.exe.?$ * 200^0 ^this is the latest version of security update, the$ * 200^0 ^\"August 2003, Cumulative Patch\" update which eliminates$ * 200^0 ^all known security vulnerabilities affecting Internet Explorer,$ * 200^0 ^Outlook and Outlook Express as well as five newly$ * 200^0 ^discovered vulnerabilities\. Install now to protect your computer$ * 200^0 ^from these vulnerabilities, the most serious of which could allow$ * 200^0 ^an attacker to run executable on your system\. This update includes$ * 200^0 ^the functionality of all previously released patches\.$ { LOCALTAG=yes } } :0 * LOCALTAG ?? yes { SBLOG="A1S-DANGER! Probable Gruel Worm (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable Homepage Worm # :0 BH * VIRUSTAG ?? no * -1000^0 * 1100^0 ^Subject: Homepage * 1100^0 Homepage\.HTML\.vbs { SBLOG="A1S-DANGER! Probable Homepage.vbs Virus (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { VIRUSTAG=yes } :0 { DANGEROUS=yes } } # Probable Mitglieder Trojan Variant # :0 * VIRUSTAG ?? no * -1000^0 * B ?? 1100^0 ^--[^ ]+$\ Content-Type: text/html; charset=\"us-ascii\"$\ Content-Transfer-Encoding: 7bit$$\ ()$\ ( )

$$\ ()
$\ $$\ --[^ ]+$ { SBLOG="A1S-DANGER! Probable Mitglieder Trojan Variant (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { VIRUSTAG=yes } :0 { DANGEROUS=yes } } # Probable Mydoom Virus/Worm # :0 BD * VIRUSTAG ?? no * -1000^0 * 1100^0 ^------=_NextPart_[0-9]+_[0-9]+_[0-9A-E]+\.[0-9A-E]+( )*$\ Content-Type: text/plain;$\ [^0-9a-z]*charset=\"Windows-1252\"$\ Content-Transfer-Encoding: 7bit$$(.*$)+$$$\ ------=_NextPart_[0-9]+_[0-9]+_[0-9A-E]+\.[0-9A-E]+( )*$\ Content-Type: application/octet-stream;$\ [^0-9a-z]*name=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|rar|scr|vbs|zip)\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment;$\ [^0-9a-z]*filename=\"[0-9a-z][-_0-9a-z]+\.(bat|com|cmd|cpl|exe|hta|lnk|pif|rar|scr|vbs|zip)\" * 1100^0 ^------=_NextPart_[0-9]+_[0-9]+_[0-9A-E]+\.[0-9A-E]+( )*$\ Content-Type: text/plain;$\ [^0-9a-z]*charset=us-ascii$\ Content-Transfer-Encoding: 7bit$$(.*$)*(.*[^ ][©®][^ ].*$)+(.*$)*$$$\ ------=_NextPart_[0-9]+_[0-9]+_[0-9A-E]+\.[0-9A-E]+( )*$\ Content-Type: application/octet-stream;$\ [^0-9a-z]*name=\"[0-9a-z][-_0-9a-z]+\.zip\"$\ Content-Transfer-Encoding: base64$\ Content-Disposition: attachment;$\ [^0-9a-z]*filename=\"[0-9a-z][-_0-9a-z]+\.zip\" * 500^0 ^Dear user of [0-9a-z]+\.[a-z]+,$ * 500^0 ^Your account has been used to send a large amount of spam messages during the recent week\.$ * 500^0 ^Obviously, your computer was infected by a recent virus and now contains a trojaned proxy server\.$ * 500^0 ^We recommend that you follow instruction in the attached file in order to keep your computer safe\.$ * 500^0 ^We have detected that your email account has been used to send a large amount of spam messages during this week\.$ * 500^0 ^Most likely your computer was compromised and now runs a hidden proxy server\.$ * 500^0 ^Please follow instructions in order to keep your computer safe\.$ * 500^0 ^Hello( )+user( )+of( )+([0-9a-z][-_0-9a-z]+\.)+[a-z][a-z][a-z]?[a-z]?( )+e.?mail( )+server,( )*
( )*$ * 500^0 ^Our( )+main( )+mailing( )+server( )+will( )+be( )+temporary( )+unavaible( )+for( )+next( )+two( )+days,$ * 500^0 ^
to( )+continue( )+receiving( )+mail( )+in( )+these( )+days( )+you( )+have( )+to( )+configure( )+our( )+free
$ * 500^0 ^auto-forwarding( )+service\.

$ * 500^0 ^
For( )+security( )+reasons( )+attached( )+file( )+is( )+password( )+protected\.( )+The( )+password( )+is( )+
$ * 500^0 ^(We have (found|received reports).*)?your (e.?mail )?account.*(junk email|spam|unsolicited.*e.?mail).*(last|recent|this) week\.$ * 500^0 ^(Obviously|Probably).*your computer.*(compromised|infected).*(hidden|trojan) proxy server\.$ * 500^0 ^(We recommend|please).*follow.*instructions?.*.*keep your computer safe\.$ * 1100^0 ^------=_NextPart_[^ ]+$\ Content-Type: text/plain;$\ [^0-9a-z]*charset=us-ascii$\ Content-Transfer-Encoding: 7bit$$\ The original message was included as attachment$ { SBLOG="A1S-DANGER! Probable Mydoom Virus Variant (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { VIRUSTAG=yes } :0 { DANGEROUS=yes } } # Probable Mytob Virus/Worm Variant # :0 * VIRUSTAG ?? no * -1000^0 * 500^0 ^( )*$( )*$
Dear user [0-9a-z]+,
$ * 500^0 (^|[^0-9a-z])For further details see the attached document\.
$ * 500^0 ^
\+\+\+ Attachment: No Virus $Clean$
$ * 500^0 ^
\+\+\+ [0-9a-z]+ Antivirus - www\.[0-9a-z][_-0-9a-z]+\.[a-z][a-z][a-z]?[a-z]? $ * 500^0 ^
Dear [0-9a-z]+ Member,
$ * 500^0 ^
We have temporarily suspended your email account [0-9a-z][-_0-9a-z]+@[0-9a-z][-_0-9a-z]+\.[a-z][a-z][a-z]?[a-z]?\.
$ * 500^0 ^

See the details to reactivate your [0-9a-z]+ account\.

$ * 500^0 ^

See the details to reactivate your [0-9a-z]+ account\.

$ { SBLOG="A1S-DANGER! Probable Mytob Virus Variant (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { VIRUSTAG=yes } :0 { DANGEROUS=yes } } # Probable NetFriend Worm/Virus # :0 BH * VIRUSTAG ?? no * -1000^0 * 500^0 ^Subject: Would you like a Net Friend \?$ * 500^0 (^|[^-_0-9a-z])Look at this zip file to find a Net Friend([^a-z0-9.]|\. |\.$|$) * 500^0 (^|[^-_0-9a-z])NetFriends(\.|=2E)exe([^a-z0-9.]|\. |\.$|$) { SBLOG="A1S-DANGER! Probable NetFriend Virus/Worm (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { VIRUSTAG=yes } :0 { DANGEROUS=yes } } # Probable Netsky Virus/Worm Variant # :0 BH * VIRUSTAG ?? no * -1000^0 * 1100^0 ^------=_NextPart_[^ ]+----=_NextPart_[^ ]+$\ Content-Type: text/plain;$\ [^0-9a-z]*charset=\"Windows-1252\"$\ Content-Transfer-Encoding: 7bit$$.*$$(.*$.*$$)?$\ ------=_NextPart_[^ ]+----=_NextPart_[^ ]+$ * 600^0 ^Mail Delivery Error - This mail contains unicode characters$ * 600^0 ^Delivery Failure - Invalid mail specification$ * 600^0 ^Received message has been attached\.$ * 600^0 ^Your document is attached to this mail\.$ * 600^0 ^The message has been sent as a binary attachment\.$ * 600^0 ^Please read the important document\.$ * 1100^0 ^(\+)+ Attachment: No Virus found$\ (\+)+ (F-Secure AntiVirus - www\.f-secure\.com|\ Bitdefender AntiVirus - www\.bitdefender\.com|\ Kaspersky AntiVirus - www\.kaspersky\.com|\ MC-Afee AntiVirus - www\.mcafee\.com)$ * 600^0 ^()If the message will not displayed automatically,
$ * 300^0 ^follow the link to read the delivered message.

$ * 300^0 ^Received message is available at:
$ * 500^0 ^Subject: Delivery failure notice $ID-[0-9a-f]+$$ * 500^0 ^Subject: Important$ * 500^0 ^Exim Status OK\.$$External message is available\.$ * 500^0 ^[^0-9a-z]*filename=\"[0-9a-z][-_0-9a-z]+\.[0-9a-z][-_0-9a-z]+\.[a-z][a-z][a-z]?[a-z]?\.[0-9a-z][-_0-9a-z]+\.session-[0-9a-f]+\.com\"$ * 500^0 ^Important textfile!$$$ * 500^0 ^Waiting for authentification\.$$$ * 500^0 ^I hope you accept the result!$$ * 1100^0 ^------=_NextPart_[0-9]+_[0-9]+----=_NextPart_[0-9]+_[0-9]+$Content-Type: application/octet-stream;$$\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+]$\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+]$\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+][0-9a-z/+]\ [0-9a-z/+][0-9a-z/+]$ * 300^0 ^Please confirm the document\.$$ * 300^0 ^--------------------------------------------$ * 500^0 ^[0-9a-z]+\.zip: No virus found$\ Powered by the new Norton OnlineScan$\ Get protected: www\.symantec\.com$ { SBLOG="A1S-DANGER! Probable Netsky Virus/Worm Variant (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { SPAMTAG=yes } :0 { DANGEROUS=yes } } # Probable ZIP archive DOS attack # :0 B * VIRUSTAG ?? no * -1000^0 * 300^0 ^[^ ]*ICAgICAgICAg[^ ]*$ { SBLOG="A1S-DANGER! Probable ZIP Archive DOS attack (Pattern Match)" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { VIRUSTAG=yes } :0 { DANGEROUS=yes } } # GENERIC DANGEROUS CONTENT # Embedded IFRAME # # This catches email with embedded IFRAMEs, which can run remote # executable content on some email programs and are therefore # dangerous. # :0 BH * DANGEROUS ?? no * IFRAMECHECKING ?? yes * -1000^0 * 1100^1 () { SBLOG="A1S-DANGER! Embedded iframe" INCLUDERC=${SBDIR}/functions/loglevel.rc :0 { DANGEROUS=yes } :0 { SPAMTAG=yes } } # Embedded Scripts # # This catches HTML-based email with embedded Scripting code, # Javascript or others. # :0 BH * DANGEROUS ?? no * SCRIPTCHECKING ?? yes * -1000^0 * 600^1 ()