1# MALWARE-PATTERNS.RC
2#
3#  Malware, viruses, etc.
4#
5#  Last updated: 10/14/2016
6
7
8# Malware flood subjects
9:0
10*      -4^0
11* H ??  2^0  ^Subject:(( )*[^0-9a-z])?((Attached|\
12                                        Emailing|\
13                                        File|\
14                                        FW|\
15                                        Order|\
16                                        RE):|\
17                                       August( )*invoice( )*$|\
18                                       Bank( )*transactions( )$|\
19                                       Commission( )*$|\
20                                       Confirmation( )*$|\
21                                       cop(ies|y)( )*$|\
22                                       Credit( )*card( )*receipt( )*$|\
23                                       Delivery( )*Reports( )*About( )*Your( )*E-mail( )*$|\
24                                       Document( )*$|\
25                                       Fax( )*$|\
26                                       Invoice( )*(INV[0-9][0-9]*)?$|\
27                                       Message( )*from( )*\"CUK|\
28                                       Monthly( )*Report( )*$|\
29                                       mortgage documents( )*|\
30                                       Office( )*Equipment( )*$|\
31                                       paycheck( )*$|\
32                                       Photo( )*$|\
33                                       Please( )*find( )*attached( )*invoice|\
34                                       Returned mail: Data format error( )*$|\
35                                       Shipping( )*confirmation( )*$|\
36                                       suspected( )*Purchases( )*$|\
37                                       transaction( )*details( )*$|\
38                                       Voice( )*Message( )*from( )*Outside( )*Caller( )*\([^)]*\)$)
39* B ??  3^0  (^|[^0-9a-z])[0-9a-z][-_0-9a-z]*\.(cab|doc[mx]?|pptx?|rar|rtf|tgz|xlsx?|zip)([^0-9a-z.]|$)
40* B ??  3^0  ([-][-]_com\.android\.email|\
41        application/vnd\.ms-word\.document\.macroEnabled\.[0-9][0-9];)
42{ LOCALTAG=yes }
43
44# Document Attachments with Scripts Explicitly Enabled
45:0
46* B ?? ([-][-]_com\.android\.email|\
47        application/vnd\.ms-word\.document\.macroEnabled\.[0-9][0-9];)
48{ LOCALTAG=yes }
49
50# Executable Attachments
51:0
52*       -1^0
53* B ??   1^0  (^|[^0-9a-z])Content-Type: application/vnd\.ms-word\.document\.macroEnabled([^0-9a-z.]|$)
54* B ??   1^0  (^|[^0-9a-z])(file)?name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+\
55                           (bat|com|cmd|cpl|dll|exe|hqx|hta|jar|lnk|pif|scr)([^0-9a-z.]|$)
56{ LOCALTAG=yes }
57
58# Hidden Executable Attachments
59:0
60* B ?? (^|[^0-9a-z])name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+\
61                    [0-9a-z][0-9a-z]?[0-9a-z]?\.(bat|com|cmd|cpl|dll|\
62                    exe|hqx|hta|lnk|pif|scr)([^0-9a-z.]|$)
63{ LOCALTAG=yes }
64
65:0
66* LOCALTAG ?? ^yes$
67{
68 SBLOG="A1R-Malware Flood Pattern Detected"
69 INCLUDERC=${SBDIR}/functions/loglevel.rc
70
71 :0
72 * NUKEMALWARE ?? yes
73 {
74  SBLOG="L1-NUKEBOUNCES=${NUKEMALWARE}"
75  INCLUDERC=${SBDIR}/functions/loglevel.rc
76
77  :0
78  /dev/null
79 }
80
81 :0
82 { SPAMTAG=yes }
83
84 :0
85 { DANGEROUS=yes }
86}
87