1# MALWARE-PATTERNS.RC 2# 3# Malware, viruses, etc. 4# 5# Last updated: 10/14/2016 6 7 8# Malware flood subjects 9:0 10* -4^0 11* H ?? 2^0 ^Subject:(( )*[^0-9a-z])?((Attached|\ 12 Emailing|\ 13 File|\ 14 FW|\ 15 Order|\ 16 RE):|\ 17 August( )*invoice( )*$|\ 18 Bank( )*transactions( )$|\ 19 Commission( )*$|\ 20 Confirmation( )*$|\ 21 cop(ies|y)( )*$|\ 22 Credit( )*card( )*receipt( )*$|\ 23 Delivery( )*Reports( )*About( )*Your( )*E-mail( )*$|\ 24 Document( )*$|\ 25 Fax( )*$|\ 26 Invoice( )*(INV[0-9][0-9]*)?$|\ 27 Message( )*from( )*\"CUK|\ 28 Monthly( )*Report( )*$|\ 29 mortgage documents( )*|\ 30 Office( )*Equipment( )*$|\ 31 paycheck( )*$|\ 32 Photo( )*$|\ 33 Please( )*find( )*attached( )*invoice|\ 34 Returned mail: Data format error( )*$|\ 35 Shipping( )*confirmation( )*$|\ 36 suspected( )*Purchases( )*$|\ 37 transaction( )*details( )*$|\ 38 Voice( )*Message( )*from( )*Outside( )*Caller( )*\([^)]*\)$) 39* B ?? 3^0 (^|[^0-9a-z])[0-9a-z][-_0-9a-z]*\.(cab|doc[mx]?|pptx?|rar|rtf|tgz|xlsx?|zip)([^0-9a-z.]|$) 40* B ?? 3^0 ([-][-]_com\.android\.email|\ 41 application/vnd\.ms-word\.document\.macroEnabled\.[0-9][0-9];) 42{ LOCALTAG=yes } 43 44# Document Attachments with Scripts Explicitly Enabled 45:0 46* B ?? ([-][-]_com\.android\.email|\ 47 application/vnd\.ms-word\.document\.macroEnabled\.[0-9][0-9];) 48{ LOCALTAG=yes } 49 50# Executable Attachments 51:0 52* -1^0 53* B ?? 1^0 (^|[^0-9a-z])Content-Type: application/vnd\.ms-word\.document\.macroEnabled([^0-9a-z.]|$) 54* B ?? 1^0 (^|[^0-9a-z])(file)?name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+\ 55 (bat|com|cmd|cpl|dll|exe|hqx|hta|jar|lnk|pif|scr)([^0-9a-z.]|$) 56{ LOCALTAG=yes } 57 58# Hidden Executable Attachments 59:0 60* B ?? (^|[^0-9a-z])name[^0-9a-z]*=[^0-9a-z]*([0-9a-z][-_0-9a-z]+\.)+\ 61 [0-9a-z][0-9a-z]?[0-9a-z]?\.(bat|com|cmd|cpl|dll|\ 62 exe|hqx|hta|lnk|pif|scr)([^0-9a-z.]|$) 63{ LOCALTAG=yes } 64 65:0 66* LOCALTAG ?? ^yes$ 67{ 68 SBLOG="A1R-Malware Flood Pattern Detected" 69 INCLUDERC=${SBDIR}/functions/loglevel.rc 70 71 :0 72 * NUKEMALWARE ?? yes 73 { 74 SBLOG="L1-NUKEBOUNCES=${NUKEMALWARE}" 75 INCLUDERC=${SBDIR}/functions/loglevel.rc 76 77 :0 78 /dev/null 79 } 80 81 :0 82 { SPAMTAG=yes } 83 84 :0 85 { DANGEROUS=yes } 86} 87