YAVR, or Yet Another antiVirus Recipe, is a procmail recipe that helps filter out many of the common e-mail worms and viruses.
0a2020f64ffde3521d3a9272c239b92de70d8076b994b5aa964249061e2942fe#####################################################################################
############ YAVR (Yet Another antiVirus Recipe) v2.1.1.2
## URL: http://agriroot.aua.gr/~nikant/nkvir/
##
## Copyright (C)2003-2004 Nikos K. Kantarakias - nikant_at_freemail_dot_gr, http://www.nikant.tk
## This program and all its previous versions, are free software;
## you can redistribute it and/or modify it under the terms
## of the GNU General Public License as published by the Free Software Foundation;
## either version 2 of the License, or (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
## GNU General Public License for more details.
##
## You may get a copy of GPLv2 at http://www.gnu.org/licenses/gpl.txt
##
############ YAVR info and usage
## URL: http://agriroot.aua.gr/~nikant/nkvir/
## http://www.freshmeat.net/yavr/
##
# - use it in your .procmailrc file using INCLUDERC=
#
# - needs a directory /virus/ inside your Mail/ dir
#
# - features
# - trap e-worms with base64 signatures (most known like Klez, Hybris, BugBear...)
# - iframe html exploit
# - CLSID hidden extensions exploit
# - xml codebase exploit
# - generic executable trap for bat, pif, vbs, vba, scr, lnk, com, exe
# - generic macro detection for doc,dot,xls,xla files
# - generic detection for most of nigeria scam e-mails (most of them)
# (please remember to configure nigeria scam filter. default is ON)
# - generic detection for porn spam e-mails (some of them)
# (please remember to configure nigeria scam filter. default is OFF)
# - open relay spam block through www.spamhaus.org
#
# - WARNINGS you receive
# for some of the above (plain iframe, clsid, xml, macro) e-mail is delivered
# normally but gets a WARNING in subject plus its old subject. Warnings are:
# - WARNING-XML-CODEBASE-OBJECT-$SUB
# - WARNING-CLSID-EXTENSION-$SUB
# - WARNING-IFRAME-$SUB
# - WARNING-MACRO-$SUB
# - WARNING-NSCAM-SCORE:$NKNGS-$SUB
# - WARNING-PORN-SCORE:$NKPRNS-$SUB
# - WARNING-MS-EXEC-$SUB
# - SPAMHAUS-$SUB
#
# - X- marks in headers
# X-YAVR: MS-EXEC (any MS executable that wasn't identified by signatures)
# X-YAVR: NIGERIA (nigeria scam)
# X-YAVR: PORN (porn related)
# X-YAVR: MACRO (containing macro code)
# X-YAVR: XML-CODEBASE
# X-YAVR: IFRAME
# X-YAVR: CLSID-EXTENSION
# X-YAVR: SENDMAIL-EXPLOIT
# X-YAVR: VIRUS
# X-YAVR: SPAMHAUS
#
#
# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.
#
# - all LOG info goes to your procmailrc log so ACTIVATE IT.
#
# - virus names are different from AV to AV. I use the names given
# from http://www.viruslist.com/
#
# - it would really help if you zip and send me worms that drop in the
# virus-could-be file at nikant_at_freemail_dot_gr
#
#
# -VIRLIST: EICAR-AV-TEST(test NOT virus), Iframe exploit, SirCam, Nimda, Klez,
# Hybris, BadTransII, Tanatos(BugBear), MTX, Elkern, Blebla, Navidad, MyParty,
# Magistr, Lentin(Yaha), Frethem, Gibe, Mawanella, Generic, Funnypics, Happy,
# Opasoft(a,d), Scrambler, PrettyPark, SysClock, Sobig(a,b,c,f,gen), Trood,
# Aliz, CodeGreen.a, IISWorm, GOPWorm, LastWord, Heyya, Sharpei, Avron(Lirva-b,c,e),
# TrojanDownloader.Win32.Ultraset, Ganda, LovGate(f,i), NetThief, Mimail,
# Apost, Blaster(Lovesan), P2P.VB.ai, Dumaru, PWS-LegMir, Swen, Maldal(c,k),
# Roron(51), Icecubes, Energy, Brit (-,b,c,d,h), Sober, Darby(b,gen), Hawawi, LegendMir,
# Torvil.d, Dropper.Mimail.b, Backdoor.PowerSpider.a, Bagle, Novarg(MyDoom), Moodown,
# Bridex
#
#####################################################################################
######### filtering ###############################################################
#nigeria scam filtering: ON or OFF. default is ON
#variable NIGSCAM may also be set at your main procmailrc before including YAVR
:0
* $ ${NIGSCAM:+!}
{ NIGSCAM=ON }
#porn spam filtering: ON or OFF. default is OFF
#variable PORNSPAM may also be set at your main procmailrc before including YAVR
:0
* $ ${PORNSPAM:+!}
{ PORNSPAM=OFF }
#spamhaus filtering: ON or OFF. default is ON
#variable SPAMHAUSYAVR may also be set at your main procmailrc before including YAVR
:0
* $ ${SPAMHAUSYAVR:+!}
{ SPAMHAUSYAVR=ON }
#####################################################################################
######### quarantine ##############################################################
#Microsoft EXEcutable quarantine : ON or OFF. default is ON
#variable YAVRQUARANTEXE may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRQUARANTEXE:+!}
{ YAVRQUARANTEXE=ON }
#Nigeria scam quarantine : ON or OFF. default is ON
#variable YAVRQUARANTNIG may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRQUARANTNIG:+!}
{ YAVRQUARANTNIG=ON }
#Porn related quarantine : ON or OFF. default is ON
#variable YAVRQUARANTPRN may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRQUARANTPRN:+!}
{ YAVRQUARANTPRN=ON }
#####################################################################################
######### warnings ################################################################
#Nigeria scam warnings : ON or OFF. default is ON
#variable YAVRWARNNIG may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRWARNNIG:+!}
{ YAVRWARNNIG=ON }
#Porn related warnings : ON or OFF. default is ON
#variable YAVRWARNPRN may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRWARNPRN:+!}
{ YAVRWARNPRN=ON }
#Spamhaus warnings : ON or OFF. default is ON
#variable YAVRWARNSPH may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRWARNSPH:+!}
{ YAVRWARNSPH=ON }
#Macro warnings : ON or OFF. default is ON
#variable YAVRWARNMAC may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRWARNMAC:+!}
{ YAVRWARNMAC=ON }
#Executable file warnings : ON or OFF. default is ON
#variable YAVRWARNEXE may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRWARNEXE:+!}
{ YAVRWARNEXE=ON }
#####################################################################################
######### mail folders ############################################################
#where you want viruses to go..
#variable VIRDIR may also be set at your main procmailrc before including YAVR
#default is $MAILDIR/virus/ where $MAILDIR is a variable from your main procmailrc
#ATTENTION: /virus/ is a directory NOT a file
:0
* $ ${VIRDIR:+!}
{ VIRDIR=$MAILDIR/virus }
#nigeria destination folder
#variable NIGDIR may also be set at your main procmailrc before including YAVR
#default is $VIRDIR/nigeria-scam where $VIRDIR is set right above
:0
* $ ${NIGDIR:+!}
{ NIGDIR=$VIRDIR/nigeria-scam }
#porn destination folder
#variable PORNDIR may also be set at your main procmailrc before including YAVR
#default is $VIRDIR/porn-spam where $VIRDIR is set right above
:0
* $ ${PORNDIR:+!}
{ PORNDIR=$VIRDIR/porn-spam }
#####################################################################################
#####################################################################################
#DO NOT EDIT BELOW THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING.. ;)
#####################################################################################
LINEBUF=32768
#vars for log
SUB=`formail -zxSubject:`
DATE=`date +"%d/%m/%Y %T"`
NL="
"
###########################################################
# for e-worms signature-based
###########################################################
:0HB
* < 500000
* ^Content-Type[ ]*:.*(application|audio|multipart|mixed|alternative|partial)
* name[ ]*[*]?[ ]*=.*\.[ ]*(bat|pif|cmd|vb[as]|scr|lnk|com|exe|chm|\{[-0-9a-f]+\})(\.....?)?"?[ ]*$
* ^Content-Transfer-Encoding[ ]*:.*(base64|quoted-printable|7bit)
{
# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.
###### START-OF-TVqQAAM-FAMILY ######
:0BD
* ^TVqQAAM
{
#for Sobig
:0BD
* -800^0
* 200^0 K/cBHSx
* 200^0 rZVJizb
* 200^0 DrVitFc
* 200^0 rolkJrX
* 200^0 zt8P9pT
{ VNSOBIG=yes }
#Sobig-b
:0BD
* -800^0
* 200^0 gHB/e2v
* 200^0 j1qLR/m
* 200^0 dAgyJY8
* 200^0 0SOIV7x
* 200^0 Gw47Qgh
{ VNSOBIG=yes }
#Sobig-c (by Fredrik Rodland)
:0BD
* -800^0
* 200^0 BSj0hvF
* 200^0 HN8EMuX
* 200^0 LvRtJdz
* 200^0 MdFFlfN
* 200^0 oikgcxQ
{ VNSOBIG=yes }
#Sobig-gen
:0BD
* -800^0
* 200^0 /HrcLhs
* 200^0 qfZjXLv
* 200^0 msFydo9
* 200^0 iJGZx/6
* 200^0 Gg7aCZs
{ VNSOBIG=yes }
#Sobig-gen (UPX packed and scrambled)
:0BD
* -800^0
* 200^0 v0ibwKA
* 200^0 CDH2kTw
* 200^0 YBdt6zE
* 200^0 nblNbDU
* 200^0 jWqE0Z6
{ VNSOBIG=yes }
#Sobig-f
:0BD
* -800^0
* 200^0 IOsT73k
* 200^0 eGYh2Eo
* 200^0 cb07glg
* 200^0 G\+Q1KAS
* 200^0 WaUYonD
{ VNSOBIG=yes }
:0
* VNSOBIG ?? yes
{
LOG="---=== WORM-SOBIG $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Sobig
}
#Swen
:0BD
* -800^0
* 200^0 wHQJagF
* 200^0 ReRQaJA
* 200^0 QQBQ6Ae
* 200^0 AAAAg\+w
* 200^0 AVjDi2X
{ VNSWEN=yes }
# Swen-upx (someone released Swen compressed... lamers..)
:0BD
* -800^0
* 200^0 w57t927
* 200^0 CZ/aINt
* 200^0 BxkwgiQ
* 200^0 CjghxrM
* 200^0 DGvIKyM
{ VNSWEN=yes }
:0
* VNSWEN ?? yes
{
LOG="---=== WORM-SWEN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Swen
}
#for Sober
:0BD
* -800^0
* 200^0 xCzjUCs
* 200^0 ByF8Jl9
* 200^0 XwPS1ST
* 200^0 BxY0PPB
* 200^0 cjsG0Tu
{ VNSOBER=yes }
#Sober-c
:0BD
* -800^0
* 200^0 zwYOwBJ
* 200^0 LAdpnBi
* 200^0 r7vRhBu
* 200^0 afB7of4
* 200^0 xwUmMCo
{ VNSOBER=yes }
#Sober-d
:0BD
* -800^0
* 200^0 qK6ooaS
* 200^0 TrcHNWd
* 200^0 AFNAB/Z
* 200^0 mqZpBom
* 200^0 AqIBICD
{ VNSOBER=yes }
#Sober-f
:0BD
* -800^0
* 200^0 mo2WiZx
* 200^0 k9cncC0
* 200^0 7kcfGwP
* 200^0 IhWgQZq
* 200^0 Zab/6vY
{ VNSOBER=yes }
:0
* VNSOBER ?? yes
{
LOG="---=== WORM-SOBER $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Sober
}
#for Mimail
:0BD
#Mimail.A (UPX encoded)
* -800^0
* 200^0 sFdQJB4
* 200^0 tfA9Im5
* 200^0 ndpTyZQ
* 200^0 XCQoUyM
* 200^0 2xRcdLC
{ VNMIMAIL=yes }
#Mimail.F (UPX encoded)
:0BD
* -800^0
* 200^0 sFdQJB4
* 200^0 tfA9Im5
* 200^0 ZbYLFDb
* 200^0 MbSsous
* 200^0 Gtz4JpF
{ VNMIMAIL=yes }
#Mimail.G (UPX encoded)
:0BD
* -800^0
* 200^0 sFdQJB4
* 200^0 MP\+18D0
* 200^0 TMm2tgQ
* 200^0 pTG0rAs
* 200^0 Izsa3PE
{ VNMIMAIL=yes }
#Mimail.C (UPX encoded)
:0BD
* -800^0
* 200^0 sFdQJB4
* 200^0 tfA9Iu0
* 200^0 tpH2VDI
* 200^0 tKzRdYM
* 200^0 fj5oaYA
{ VNMIMAIL=yes }
#Mimail.I (UPX encoded)
:0BD
* -800^0
* 200^0 sFdQJB4
* 200^0 BB6FT2A
* 200^0 WJ1nMg4
* 200^0 jOY/web
* 200^0 biHb608
{ VNMIMAIL=yes }
#Mimail.J (UPX encoded)
:0BD
* -800^0
* 200^0 sFdQJB4
* 200^0 TwsM4dv
* 200^0 7FidMF2
* 200^0 5j/B5sx
* 200^0 LEjXst5
{ VNMIMAIL=yes }
#Mimail.E (UPX encoded)
:0BD
* -800^0
* 200^0 sFdQJB4
* 200^0 ZQ//tfA
* 200^0 ZSqZkm2
* 200^0 MbTd4EV
* 200^0 sqPB/VH
{ VNMIMAIL=yes }
#Mimail.M (UPX encoded)
:0BD
* -800^0
* 200^0 sFdQJB4
* 200^0 sG569A4
* 200^0 W9kvxgQ
* 200^0 0MQ1Zru
* 200^0 7WzLXiK
{ VNMIMAIL=yes }
#Mimail.A,G,C,E (decompressed)
:0BD
* -800^0
* 200^0 BInHV/9
* 200^0 AIPHLok
* 200^0 dfyLdfj
* 200^0 AACDxAx
* 200^0 (NQ|Jw|Ow|KA)AA/3X
{ VNMIMAIL=yes }
#Mimail.I (decompressed)
:0BD
* -800^0
* 200^0 BInHV/9
* 200^0 /0Xoi30
* 200^0 WUAAOX3
* 200^0 xARqAFC
* 200^0 PTRZQAA
{ VNMIMAIL=yes }
#Mimail.J (decompressed)
:0BD
* -800^0
* 200^0 BInHV/9
* 200^0 mQEAAP9
* 200^0 /Is9NFl
* 200^0 KAAAg8Q
* 200^0 /0X8iz0
{ VNMIMAIL=yes }
#Mimail.M (decompressed)
:0BD
* -800^0
* 200^0 BInHV/9
* 200^0 BI292Pf
* 200^0 LAAAice
* 200^0 g8QQ/3X
* 200^0 /In\+g8Y
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -1000^0
* 100^0 J$?^?C$?^?j$?^?A$?^?A$?^?B$?^?Q$?^?o$?^?Q$?^?A$?^?A$?^?/$?^?K
* 100^0 3$?^?K$?^?M$?^?A$?^?A$?^?J$?^?S$?^?h$?^?A$?^?A$?^?A$?^?I$?^?o$?^?Q
* 100^0 D$?^?s$?^?o$?^?w$?^?A$?^?A$?^?o$?^?K$?^?E$?^?A$?^?A$?^?B$?^?y
* 100^0 A$?^?i$?^?k$?^?A$?^?A$?^?C$?^?0$?^?o$?^?Q$?^?A
* 100^0 D$?^?k$?^?o$?^?Q$?^?A$?^?A$?^?\+$?^?K$?^?E
* 100^0 c$?^?o$?^?g$?^?A$?^?A$?^?L$?^?K$?^?I$?^?A$?^?A$?^?D$?^?y$?^?i$?^?A$?^?A$?^?B$?^?U$?^?o$?^?g$?^?A$?^?A$?^?Y$?^?K$?^?I$?^?A$?^?A$?^?H$?^?C$?^?i$?^?A$?^?A$?^?B$?^?8$?^?o$?^?g$?^?A$?^?A$?^?j$?^?K$?^?I$?^?A$?^?A$?^?J$?^?i$?^?i
* 100^0 R$?^?l$?^?R$?^?m$?^?l$?^?s$?^?Z$?^?Q$?^?B$?^?U$?^?A$?^?E$?^?R$?^?l$?^?b$?^?G$?^?V$?^?0$?^?Z$?^?U$?^?Z$?^?p$?^?b$?^?G$?^?V$?^?B$?^?A
* 100^0 A$?^?A$?^?A$?^?A$?^?H$?^?E$?^?C$?^?c$?^?3$?^?R$?^?y$?^?Y$?^?2$?^?h$?^?y$?^?A$?^?A$?^?A$?^?A$?^?A$?^?H$?^?g$?^?C$?^?c$?^?3$?^?R
* 100^0 B$?^?A$?^?A$?^?D$?^?y$?^?g$?^?Q$?^?A$?^?A$?^?8$?^?o$?^?E$?^?A$?^?A$?^?P$?^?K$?^?B$?^?A$?^?A$?^?D$?^?y$?^?g$?^?Q
* 100^0 C$?^?I$?^?A$?^?A$?^?A$?^?A$?^?w$?^?A$?^?A$?^?A$?^?A$?^?l$?^?g$?^?A
* 100^0 Q$?^?Z$?^?\+$?^?n$?^?t$?^?Y$?^?P$?^?/$?^?/
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 D\+Rhdqr
* 200^0 Sdh05LZ
* 200^0 b8s2s\+C
* 200^0 dOS2t8k
* 200^0 quTktjp
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 vR\+VkBg
* 200^0 r2qPEFD
* 200^0 my2ESBR
* 200^0 jxBQBTL
* 200^0 GB8QUIi
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 DE8GMql
* 200^0 Ddvfg/J
* 200^0 CI81GIf
* 200^0 34PytGJ
* 200^0 qU\+D8jn
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 r89dHFB
* 200^0 ly0hmhh
* 200^0 XRxQoOD
* 200^0 vc0cUC1
* 200^0 VSxZgdD
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 PfhMCpj
* 200^0 Nepoycp
* 200^0 QrcEr83
* 200^0 aMnKhdU
* 200^0 mPjJygh
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 XYptifi
* 200^0 tooa6Ek
* 200^0 YzRk3ex
* 200^0 GuhJ5ac
* 200^0 \+IroSWg
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 kZR6XjS
* 200^0 YUYE/57
* 200^0 dOOow/u
* 200^0 BP\+eKbk
* 200^0 NJT/nqQ
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 Q1Q7wuZ
* 200^0 /ZTEvgI
* 200^0 NX96A7o
* 200^0 xL4C\+3l
* 200^0 5lS\+Anb
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 V05IF/J
* 200^0 KIDezdc
* 200^0 RqpuGcn
* 200^0 3s3X72M
* 200^0 8k7N12L
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 zyYhlGo
* 200^0 qxi2pFS
* 200^0 Lyn2caB
* 200^0 tqRUdwt
* 200^0 aiakVPq
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 nEVDXTl
* 200^0 YkvVxp3
* 200^0 TeClEsK
* 200^0 1cadJGg
* 200^0 OUXGnan
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 hOCmeyH
* 200^0 RFNwI7v
* 200^0 qMa9tye
* 200^0 cCO7PM3
* 200^0 IeAju7F
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 Y48zK8a
* 200^0 FLQftus
* 200^0 PZZa2LL
* 200^0 H7br26J
* 200^0 xo\+261Y
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 mcmAiDz
* 200^0 t05ZBUj
* 200^0 jjWgngF
* 200^0 WQVIIeT
* 200^0 PMkFSKx
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
* -800^0
* 200^0 soNGEhe
* 200^0 LWUTw9L
* 200^0 SK\+L1Mf
* 200^0 E8PSCq4
* 200^0 F4PD0oc
{ VNMIMAIL=yes }
:0
* VNMIMAIL ?? yes
{
LOG="---=== WORM-MIMAIL $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Mimail
}
#for Blaster (Lovesan)
:0BD
* -800^0
* 200^0 ClAkHg0
* 200^0 xvggHV9
* 200^0 UUT8AZj
* 200^0 rboHqPQ
* 200^0 fgAlaS4
{ VNBLASTER=yes }
#for Blaster (Lovesan) decompressed
:0BD
* -800^0
* 200^0 VhAAAD2
* 200^0 jYXo/f/
* 200^0 DMeF7Or
* 200^0 NSQxQAD
* 200^0 /A\+3hX7
{ VNBLASTER=yes }
:0
* VNBLASTER ?? yes
{
LOG="---=== WORM-BLASTER $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Blaster
}
#for Nimda
:0BD
* -800^0
* 200^0 //8r8Go
* 200^0 te79///
* 200^0 /wAAAP9
* 200^0 /1BqAGo
* 200^0 N[o4]v4O/s
{
LOG="---=== WORM-NIMDA $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Nimda
}
#for Klez
:0BD
* 0EPA6gQ
{
#Klez-a
:0BD
* -600^0
* 200^0 fnwDQOv
* 200^0 AFlZ6xZ
* 200^0 oAEAAGo
* 200^0 zyvIUVB
{ VNKLEZ=yes }
#Klez-b
:0BD
* -600^0
* 200^0 /A\+DJwE
* 200^0 UOjZLgA
* 200^0 6DUBAAC
* 200^0 CAPfO9h
{ VNKLEZ=yes }
#Klez-c
:0BD
* -600^0
* 200^0 GGaD\+SB
* 200^0 g8QQOV0
* 200^0 JAAA/0X
* 200^0 AAIAAID
{ VNKLEZ=yes }
#Klez-d
:0BD
* -600^0
* 200^0 /A\+DJwE
* 200^0 CI2F2P7
* 200^0 /P7//2i
* 200^0 AFPoSjE
{ VNKLEZ=yes }
#Klez-e
:0BD
* -600^0
* 200^0 UmAAADP
* 200^0 EFm4AAA
* 200^0 6MorAAC
* 200^0 QQD/dRB
{ VNKLEZ=yes }
#Klez-f
:0BD
* -600^0
* 200^0 omAAADP
* 200^0 EFm4AAA
* 200^0 6O4rAAC
* 200^0 QQD/dRB
{ VNKLEZ=yes }
#Klez-g
:0BD
* -600^0
* 200^0 omAAADP
* 200^0 EFm4AAA
* 200^0 6O4rAAC
* 200^0 QQD/dRB
{ VNKLEZ=yes }
#Klez-h
:0BD
* -600^0
* 200^0 MmQAADP
* 200^0 EFm4AAA
* 200^0 0moYWff
* 200^0 U1ZXD4S
{ VNKLEZ=yes }
#Klez-i
:0BD
* -600^0
* 200^0 ImQAADP
* 200^0 EFm4AAA
* 200^0 0moYWff
* 200^0 U1ZXD4S
{ VNKLEZ=yes }
#Klez-j
:0BD
* -600^0
* 200^0 omAAADP
* 200^0 EFm4AAA
* 200^0 6O4rAAC
* 200^0 QQD/dRB
{ VNKLEZ=yes }
:0
* VNKLEZ ?? yes
{
LOG="---=== WORM-KLEZ $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Klez
}
}
#Novarg
:0BD
#Novarg unpacked
* -800^0
* 200^0 gAsAAIA
* 200^0 Qbya4z/
* 200^0 WKyxNTc
* 200^0 xz9PyLY
* 200^0 2Zjo9Vd
{ VNNOVARG=yes }
#Novarg upx
:0BD
* -800^0
* 200^0 0KJ3Tyo
* 200^0 3/ZH\+Ur
* 200^0 D/////8
* 200^0 Tlze1i2
* 200^0 88KUaUE
{ VNNOVARG=yes }
#Novarg Petite packed
:0BD
* -800^0
* 200^0 dFByb2N
* 200^0 d/dIwAB
* 200^0 tvofY9M
* 200^0 EZJt9N4
* 200^0 cH\+xjgD
{ VNNOVARG=yes }
#Novarg unpacked
:0BD
* -800^0
* 200^0 wgZpXVd
* 200^0 Z3JrZwA
* 200^0 IGdya2c
* 200^0 WTPbWYk
* 200^0 cBBKADi
{ VNNOVARG=yes }
#MyDoom.e
:0BD
* -800^0
* 200^0 1xZYneU
* 200^0 jA2uWpc
* 200^0 2QeP4pz
* 200^0 8W2ey1T
* 200^0 4mnpjVI
{ VNNOVARG=yes }
#MyDoom.e
:0BD
* -800^0
* 200^0 B1Cg8UX
* 200^0 leFkBUR
* 200^0 h/6B3aL
* 200^0 wsdsvqR
* 200^0 oPm6Kvf
{ VNNOVARG=yes }
#MyDoom.e
:0BD
* -800^0
* 200^0 oPFF//8
* 200^0 ZAVEU5X
* 200^0 gd2i//\+
* 200^0 bL6kQ\+/
* 200^0 uir38IJ
{ VNNOVARG=yes }
#generic signature just to be sure
:0BD
* -800^0
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?2$?^?d$?^?y$?^?g$?^?J$?^?G$?^?l$?^?A$?^?L$?^?b$?^?z$?^?E$?^?z$?^?p$?^?c$?^?h$?^?b$?^?H$?^?g$?^?E$?^?k$?^?d$?^?/$?^?u$?^?v$?^?g$?^?5$?^?f$?^?c$?^?Q$?^?O$?^?W$?^?6$?^?v$?^?\+$?^?V$?^?K$?^?0$?^?J$?^?a$?^?M$?^?o$?^?v
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?i$?^?\+$?^?d$?^?G$?^?q$?^?A$?^?1$?^?1$?^?4$?^?E$?^?6$?^?/$?^?c$?^?6$?^?o$?^?k$?^?Q$?^?X$?^?T$?^?0$?^?c$?^?o$?^?E$?^?/$?^?P$?^?0$?^?J$?^?I$?^?U$?^?U$?^?1$?^?s$?^?f$?^?p$?^?P$?^?L$?^?x$?^?u$?^?Q$?^?F$?^?K$?^?1$?^?D
* 900^0 /$?^?/$?^?/$?^?/$?^?\+$?^?u$?^?t$?^?8$?^?P$?^?S$?^?5$?^?P$?^?k$?^?R$?^?L$?^?E$?^?p$?^?r$?^?j$?^?7$?^?b$?^?g$?^?D$?^?T$?^?1$?^?w$?^?p$?^?t$?^?8$?^?b$?^?W$?^?p$?^?z$?^?h$?^?K$?^?X$?^?T$?^?C$?^?E$?^?2$?^?e$?^?\+$?^?G$?^?H$?^?X$?^?V$?^?O$?^?P
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?/$?^?d$?^?a$?^?w$?^?C$?^?m$?^?V$?^?B$?^?H$?^?b$?^?r$?^?Y$?^?9$?^?5$?^?c$?^?3$?^?W$?^?H$?^?o$?^?c$?^?v$?^?\+$?^?P$?^?I$?^?r$?^?h$?^?R$?^?7$?^?Y$?^?w$?^?u$?^?0$?^?3$?^?s$?^?m$?^?1$?^?A$?^?0$?^?5$?^?8$?^?K$?^?p$?^?n
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?/$?^?3$?^?W$?^?s$?^?A$?^?p$?^?l$?^?Q$?^?R$?^?2$?^?6$?^?2$?^?P$?^?e$?^?X$?^?N$?^?1$?^?h$?^?6$?^?H$?^?L$?^?/$?^?j$?^?y$?^?K$?^?4$?^?U$?^?e$?^?2$?^?M$?^?L$?^?t$?^?N$?^?7$?^?J$?^?t$?^?Q$?^?N$?^?O$?^?f$?^?C$?^?q$?^?Z
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?J$?^?\+$?^?q$?^?w$?^?e$?^?U$?^?U$?^?U$?^?5$?^?r$?^?u$?^?T$?^?b$?^?k$?^?w$?^?t$?^?E$?^?f$?^?j$?^?i$?^?z$?^?7$?^?\+$?^?y$?^?q$?^?K$?^?G$?^?d$?^?n$?^?J$?^?6$?^?j$?^?q$?^?7$?^?b$?^?E$?^?1$?^?e$?^?k$?^?A$?^?G$?^?j$?^?f
* 900^0 /$?^?/$?^?/$?^?/$?^?E$?^?8$?^?B$?^?J$?^?d$?^?f$?^?a$?^?D$?^?8$?^?P$?^?8$?^?7$?^?R$?^?C$?^?Q$?^?E$?^?g$?^?9$?^?U$?^?B$?^?O$?^?0$?^?Q$?^?k$?^?C$?^?I$?^?P$?^?V$?^?A$?^?I$?^?k$?^?E$?^?J$?^?O$?^?h$?^?X
{ VNNOVARG=yes }
:0
* VNNOVARG ?? yes
{
LOG="---=== WORM-NOVARG $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Novarg
}
#Moodown
:0BD
* -800^0
* 200^0 2yFbKVg
* 200^0 YBsnA\+3
* 200^0 VFiceqX
* 200^0 eshgrpI
* 200^0 XR7syGE
{ VNMOODOWN=yes }
#Moodown uncompressed
:0BD
* -800^0
* 200^0 7IHsDAI
* 200^0 g/4IV/f
* 200^0 cghmgX3
* 200^0 XlvJw4N
* 200^0 AFZXx0X
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 DRQKlm8
* 200^0 TTv3Wth
* 200^0 yMu/KXS
* 200^0 zRGz90g
* 200^0 MzTvkTE
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 0A0UCpZ
* 200^0 \+k0791r
* 200^0 hMjLvyl
* 200^0 q80Rs/d
* 200^0 5DM075E
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 nlUKFLk
* 200^0 BpLFc5j
* 200^0 Ld6FjK7
* 200^0 Dacg\+6G
* 200^0 \+hxFERp
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 CkzQI2F
* 200^0 Ko7KySg
* 200^0 VSMSscE
* 200^0 fBAGDco
* 200^0 6PFl5S2
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 FLkN0A0
* 200^0 c5jM\+k0
* 200^0 jK7QhMj
* 200^0 \+6GMq80
* 200^0 ERpJ5DM
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 uQ3QDRQ
* 200^0 mMz6TTv
* 200^0 rtCEyMu
* 200^0 oYyrzRG
* 200^0 GknkMzT
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 giOeVQo
* 200^0 lL0GksV
* 200^0 vDgt3oW
* 200^0 wUkNpyD
* 200^0 jYP6HEU
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 oMl9u5V
* 200^0 JXJ\+Dop
* 200^0 XywgXHw
* 200^0 BwxCcet
* 200^0 nMoYFDJ
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 ajX/1yI
* 200^0 iXAicu4
* 200^0 sAQL1oP
* 200^0 Bz2QVEm
* 200^0 OLA0IBf
{ VNMOODOWN=yes }
#Netsky.d
:0BD
* -800^0
* 200^0 kxAVw4E
* 200^0 jyHppNc
* 200^0 TER/Nyz
* 200^0 qECfj\+4
* 200^0 rOEy\+xn
{ VNMOODOWN=yes }
#Netsky.d
:0BD
* -800^0
* 200^0 iwQk/Yv
* 200^0 wtKGp6z
* 200^0 vi5sXtq
* 200^0 eV1Xkor
* 200^0 5bLDS9r
{ VNMOODOWN=yes }
#Netsky.j
:0BD
* -800^0
* 200^0 f0WP3bU
* 200^0 awW/yBV
* 200^0 BXSVCNQ
* 200^0 9BqNuGa
* 200^0 qflP54t
{ VNMOODOWN=yes }
#Netsky.m
:0BD
* -800^0
* 200^0 jPe7OSC
* 200^0 DyDkVPu
* 200^0 aUaWI\+z
* 200^0 Uo04LH8
* 200^0 uPAKsTc
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 QWRkcmV
* 200^0 X4G3M5d
* 200^0 jjTIi12
* 200^0 Z/\+xmRH
* 200^0 benBLNN
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 hKLw/v9
* 200^0 9S/Ji25
* 200^0 02A582H
* 200^0 AWHPacb
* 200^0 25XelF2
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 xvpn0QJ
* 200^0 Xa60IWe
* 200^0 3I7cj5U
* 200^0 KP3GXoG
* 200^0 6hyZZ0f
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 QWRkcmV
* 200^0 X4G3M5d
* 200^0 jjTIi12
* 200^0 Z/\+xmRH
* 200^0 f39/f3f
{ VNMOODOWN=yes }
#Netsky.r
:0BD
* -800^0
* 200^0 a$?^?W$?^?5$?^?0$?^?Z$?^?k$?^?E
* 200^0 l$?^?8$?^?G$?^?j$?^?Z$?^?n$?^?h
* 200^0 Q$?^?2$?^?J$?^?i$?^?U$?^?1$?^?o
* 200^0 f$?^?3$?^?9$?^?/$?^?f$?^?3$?^?f
* 200^0 3$?^?v$?^?r$?^?G$?^?M$?^?s$?^?Q
* 200^0 H$?^?i$?^?X$?^?/$?^?T$?^?S$?^?F
* 200^0 K$?^?Z$?^?J$?^?z$?^?T$?^?n$?^?C
* 200^0 f$?^?3$?^?9$?^?/$?^?f$?^?3$?^?f
* 200^0 3$?^?v$?^?r$?^?G$?^?M$?^?s$?^?Q
{ VNMOODOWN=yes }
#Netsky.r
:0BD
* -800^0
* 200^0 ogAAOKI
* 200^0 0bagiBw
* 200^0 mmBIoKz
* 200^0 Xag4k/y
* 200^0 /NPCCu1
{ VNMOODOWN=yes }
#Netsky.t
:0BD
* -800^0
* 200^0 Z6Pjb4U
* 200^0 YxSu0ln
* 200^0 GF7uDDj
* 200^0 WG99aEl
* 200^0 PGgSVq3
{ VNMOODOWN=yes }
#Netsky.t
:0BD
* -800^0
* 200^0 /K2wZwO
* 200^0 rtJZwOa
* 200^0 Y3Sm7gw
* 200^0 jkXw4C8
* 200^0 DxtzUGQ
{ VNMOODOWN=yes }
#Netsky.f
:0BD
* -800^0
* 200^0 o5AmyZH
* 200^0 XsD\+UFG
* 200^0 LEoRLFY
* 200^0 fv0WwAo
* 200^0 HHaFkB3
{ VNMOODOWN=yes }
#Netsky.Y
:0BD
* -800^0
* 200^0 TaOQJsm
* 200^0 gRE8CnT
* 200^0 kgPIHyi
* 200^0 0AHEDHY
* 200^0 EIHCX7I
{ VNMOODOWN=yes }
#Netsky.X
:0BD
* -800^0
* 200^0 p2yr7NI
* 200^0 dfJPtnR
* 200^0 BJBUfM1
* 200^0 YjsD89C
* 200^0 MbZ\+TW5
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 UMQiaNP
* 200^0 8TPzDAj
* 200^0 mJBxAY1
* 200^0 i3UJJ8m
* 200^0 OzI040u
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 YSPoUHI
* 200^0 MxoYGCM
* 200^0 sARsEcO
* 200^0 HZSd7p8
* 200^0 zBzs0Ho
{ VNMOODOWN=yes }
#Netsky.r
:0BD
* -800^0
* 200^0 txwDGBG
* 200^0 sbzwN34
* 200^0 hLsIW7x
* 200^0 Dt9ZvYK
* 200^0 QkkCxKA
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 J1DEImj
* 200^0 E/Ez8ww
* 200^0 mJiQcQG
* 200^0 Eot1CSf
* 200^0 GDsyNON
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 cidQxCJ
* 200^0 IxPxM/M
* 200^0 w5iYkHE
* 200^0 nxKLdQk
* 200^0 ehg7MjT
{ VNMOODOWN=yes }
#Netsky.x
:0BD
* -800^0
* 200^0 D/c2OLc
* 200^0 IHiPh6O
* 200^0 M5mLo\+6
* 200^0 ye\+22ga
* 200^0 rg8X7ov
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 ImjT0os
* 200^0 8wwIwev
* 200^0 cQGNZg/
* 200^0 CSfJi9d
* 200^0 NONLpQG
{ VNMOODOWN=yes }
#Netsky.ac
:0BD
* -800^0
* 200^0 XbBND40
* 200^0 df2XViE
* 200^0 AQB0HIs
* 200^0 3sfEGBA
* 200^0 3G78aYt
{ VNMOODOWN=yes }
:0
* VNMOODOWN ?? yes
{
LOG="---=== WORM-MOODOWN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Moodown
}
#for Bridex
#Bridex.a
:0BD
* -800^0
* 200^0 ZgclAGa
* 200^0 QADi2EA
* 200^0 J0EAAyd
* 200^0 /yWsEEA
* 200^0 AJn/AAD
{
LOG="---=== WORM-BRIDEX $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bridex
}
#for Avron aka Lirva
:0BD
#Avron-b
* -800^0
* 200^0 IHBhY2t
* 200^0 Yiudflj
* 200^0 UEKOkBE
* 200^0 BQolLDs
* 200^0 OIxrCMs
{ VNLIRVA=yes }
#Avron-c
:0BD
* -800^0
* 200^0 IHBhY2t
* 200^0 Yiudflj
* 200^0 LHR6U3d
* 200^0 726CDaY
* 200^0 bGoqNFm
{ VNLIRVA=yes }
#Avron-e
:0BD
* -800^0
* 200^0 zMzMzMz
* 200^0 fbi5EgA
* 200^0 RcZFxUb
* 200^0 /wAAAMH
* 200^0 /1D/FTA
{ VNLIRVA=yes }
:0
* VNLIRVA ?? yes
{
LOG="---=== WORM-LIRVA $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Lirva
}
#for Lentin aka Yaha
#Lentin.G (Yaha.E)
:0BD
* -800^0
* 200^0 Li4uLi4
* 200^0 NWAdUqk
* 200^0 7EnICe9
* 200^0 0DyYxQl
* 200^0 6agF0Ok
{ VNYAHA=yes }
#Lentin.I (Yaha.K)
:0BD
* -800^0
* 200^0 N\+SwUge
* 200^0 hFCMT8t
* 200^0 Duk7Aoh
* 200^0 fC24DGH
* 200^0 VExyKUw
{ VNYAHA=yes }
:0
* VNYAHA ?? yes
{
LOG="---=== WORM-YAHA-LENTIN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Yaha
}
#for Hybris aka SnowWhite virus - Hybris is polymorphic so hard to catch...
#Hybris-b
:0BD
* -800^0
* 200^0 AIv0gcT
* 200^0 JOgCAAC
* 200^0 mVfiyoh
* 200^0 ////cvL
* 200^0 YIlaZIl
{ VNHYBRIS=yes }
#Hybris-c
:0BD
* -800^0
* 200^0 0QuxYhX
* 200^0 pyFClXl
* 200^0 bE4jym1
* 200^0 37pPyjL
* 200^0 0GnOIjn
{ VNHYBRIS=yes }
#Hybris-d
:0BD
* -800^0
* 200^0 ka60PZ2
* 200^0 jTq/9Vv
* 200^0 bdVMcR\+
* 200^0 Y1PunKd
* 200^0 be2y\+V2
{ VNHYBRIS=yes }
#Hybris-gen
:0BD
* -800^0
* 200^0 VCWIw2A
* 200^0 E/42yeG
* 200^0 QFsQ6PI
* 200^0 2iZ0YB5
* 200^0 MGSGfyE
{ VNHYBRIS=yes }
#even more Hybris
:0BD
* -800^0
* 200^0 Ui\+XpV4
* 200^0 9ftA2MO
* 200^0 Tz0O8gH
* 200^0 5DVWXih
* 200^0 Lm6VYR8
{ VNHYBRIS=yes }
#even more Hybris
:0BD
* -800^0
* 200^0 axYfsHc
* 200^0 ABUnYM7
* 200^0 10cn2Yk
* 200^0 y71gdw/
* 200^0 R1UdbDg
{ VNHYBRIS=yes }
:0
* VNHYBRIS ?? yes
{
LOG="---=== WORM-HYBRIS $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Hybris
}
#for BadTransII
:0BD
* -800^0
* 200^0 bXcD6Ga
* 200^0 Yz1rtU0
* 200^0 VHRSPOb
* 200^0 \+aZQuxC
* 200^0 O/h0c4s
{
LOG="---=== WORM-BADTRANSII $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-BadTransII
}
#for Hawawi.g
:0BD
* -800^0
* 200^0 L3YAYnf
* 200^0 Zkgu/Al
* 200^0 dY/34nx
* 200^0 xEzSu/9
* 200^0 7bgBAAA
{ VNHAWAWI=yes }
#for Hawawi.g (decompressed)
:0BD
* -800^0
* 200^0 AP8lIBB
* 200^0 AAA0JkA
* 200^0 oaxTQAA
* 200^0 \+/o1MP/
* 200^0 AGM0/13
{ VNHAWAWI=yes }
:0
* VNHAWAWI ?? yes
{
LOG="---=== WORM-HAWAWI $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Hawawi
}
#for P2P.Darby
:0BD
* -800^0
* 200^0 F6Zp5jn
* 200^0 kGDH9mH
* 200^0 MsgrHhH
* 200^0 jOsqjbJ
* 200^0 rrMljqb
{ VNDARBY=yes }
#Darby.gen
:0BD
* -800^0
* 200^0 imO87nk
* 200^0 5fN02Gk
* 200^0 kn69MZO
* 200^0 bAFpn1W
* 200^0 AVlShCj
{ VNDARBY=yes }
:0
* VNDARBY ?? yes
{
LOG="---=== WORM-DARBY $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Darby
}
#for I-Worm.Bagle
:0BD
* -800^0
* 200^0 xPxWV1O
* 200^0 i0AMC8B
* 200^0 6DAVAAD
* 200^0 /1IMi3X
* 200^0 8OhlDwA
{ VNBAGLE=yes }
#Bagle.B
:0BD
* -800^0
* 200^0 jz1dAvg
* 200^0 BQ6Bxjt
* 200^0 3t8FA9x
* 200^0 HruKHZv
* 200^0 GdW87l4
{ VNBAGLE=yes }
#Bagle.F
:0BD
* -800^0
* 200^0 7wB7y\+c
* 200^0 6AEAAAD
* 200^0 4Las77i
* 200^0 CI1OkcN
* 200^0 OwBXkK8
{ VNBAGLE=yes }
#Bagle.E
:0BD
* -800^0
* 200^0 \+AgKqqp
* 200^0 0nUFihZ
* 200^0 XmD0XkB
* 200^0 aUNfJTZ
* 200^0 dhOlB54
{ VNBAGLE=yes }
#Bagle.S
:0BD
* -800^0
* 200^0 dgOABut
* 200^0 QA\+EgiY
* 200^0 Q3lorBv
* 200^0 DpQVMg1
* 200^0 QTwRWj4
{ VNBAGLE=yes }
#Bagle.T
:0BD
* -800^0
* 200^0 dgOABut
* 200^0 QA\+EgiY
* 200^0 kHlorBv
* 200^0 IJThUDJ
* 200^0 nhFaHxw
{ VNBAGLE=yes }
:0
* VNBAGLE ?? yes
{
LOG="---=== WORM-BAGLE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bagle
}
#for Backdoor.PowerSpider.a
:0BD
* -800^0
* 200^0 CAF0B1b
* 200^0 GrUAAAF
* 200^0 uDTMQAD
* 200^0 ochWQgC
* 200^0 aGD1QAB
{
LOG="---=== WORM-POWERSPIDER $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Powerspider
}
#for Backdoor.NetSnake.g
:0BD
* -800^0
* 200^0 xQeL7d1
* 200^0 N2g11q2
* 200^0 HwYe7jV
* 200^0 VlEruAN
* 200^0 Idnxgc3
{
LOG="---=== WORM-NETSNAKE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-NetSnake
}
#for Tanatos aka BugBear
#Bugbear-a
:0BD
* -800^0
* 200^0 7e/5O/C
* 200^0 UDcmGDo
* 200^0 MogGcs9
* 200^0 hXIFBoO
* 200^0 rw5Qdfi
#Bugbear-b-generic by NiKant - I think its a killer but lets see..
* 900^0 C$?^?C$?^?n$?^?Y$?^?h$?^?q$?^?0$?^?w$?^?f$?^?H$?^?k$?^?M$?^?3$?^?x$?^?\+$?^?0$?^?H$?^?A$?^?B$?^?U$?^?R$?^?A$?^?Q$?^?A$?^?A$?^?k$?^?A$?^?I$?^?A$?^?J$?^?g$?^?s$?^?A$?^?J$?^?L
{
LOG="---=== WORM-BUGBEAR-TANATOS $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bugbear
}
#for Elkern
#Elkern-a
:0BD
* -800^0
* 200^0 0EPA6gQ
* 200^0 fnwDQOv
* 200^0 AFlZ6xZ
* 200^0 oAEAAGo
* 200^0 zyvIUVB
{ VNELKERN=yes }
#Elkern-c
:0BD
* -800^0
* 200^0 AIPEDOm
* 200^0 FUAAAxV
* 200^0 lKBAAOg
* 200^0 DKGsoEA
* 200^0 zMzMzMz
{ VNELKERN=yes }
:0
* VNELKERN ?? yes
{
LOG="---=== WORM-ELKERN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Elkern
}
#for Navidad
#Navidad-a
:0BD
* -800^0
* 200^0 FVBQQAC
* 200^0 lCQUAgA
* 200^0 1mgAfwA
* 200^0 Z1D/FfR
* 200^0 WVloIGB
{ VNNAVIDAD=yes }
#Navidad-b
:0BD
* -800^0
* 200^0 VC1EClJ
* 200^0 OYCFHqg
* 200^0 Cz96o\+Y
* 200^0 LwcbYK8
* 200^0 hWVy/cc
{ VNNAVIDAD=yes }
:0
* VNNAVIDAD ?? yes
{
LOG="---=== WORM-NAVIDAD $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Navidad
}
#for MyParty
:0BD
* -800^0
* 200^0 dD5WEnb
* 200^0 JTkZBdH
* 200^0 1xUMi00
* 200^0 FyKQAFF
* 200^0 f31f\+15
{
LOG="---=== WORM-MYPARTY $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-MyParty
}
#for Magistr (tough, has 2 polymorphic engines)
:0BD
* -800^0
* 200^0 \+SPFQMP
* 200^0 w2oAagD
* 200^0 oFRAAIk
* 200^0 dftAOBh
* 200^0 g3yPBAB
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 zMzMzMz
* 200^0 wYv3i/q
* 200^0 V/8V1AF
* 200^0 fCQQhNJ
* 200^0 AIll9Il
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 jUwkDFF
* 200^0 xBSFwHU
* 200^0 i/eL\+8H
* 200^0 HAEAAIs
* 200^0 SAOLxak
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 KkAAagB
* 200^0 7BgCAAB
* 200^0 jYXw/v/
* 200^0 aWxlQQD
* 200^0 cgBvAGQ
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 bGljYXR
* 200^0 bAAAVmh
* 200^0 IGAAAeh
* 200^0 AYTAdeO
* 200^0 9P7//4X
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 AFZHAAC
* 200^0 YXAgZXJ
* 200^0 dDWAPaF
* 200^0 AenPAAA
* 200^0 AFboSvj
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 AQD2OwE
* 200^0 bmkAV0F
* 200^0 bnQAAG5
* 200^0 RkQtMDB
* 200^0 ezA1NTg
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 QUdFTlQ
* 200^0 YQBnAGU
* 200^0 4kJu1TA
* 200^0 ahS\+wyE
* 200^0 LhRs\+nP
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 /vOragN
* 200^0 \+YvBi/e
* 200^0 AABQV/8
* 200^0 6I4sAAC
* 200^0 JJAMAAA
{ VNMAGISTR=yes }
#
:0BD
* -800^0
* 200^0 XlnDi0Q
* 200^0 RAoBjVQ
* 200^0 AAAAiQ/
* 200^0 QAiJFSR
* 200^0 AGgYIEA
{ VNMAGISTR=yes }
:0
* VNMAGISTR ?? yes
{
LOG="---=== WORM-MAGISTR $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Magistr
}
#for LovGate
#LovGate-f
:0BD
* -800^0
* 200^0 AiYi3pn
* 200^0 tNQCwCg
* 200^0 Dxsjt0c
* 200^0 WA9\+zD1
* 200^0 AUieTgG
{ VNLOVGATE=yes }
#LovGate-i
:0BD
* -800^0
* 200^0 2gvcCpS
* 200^0 FzcK1a\+
* 200^0 5ymsPtx
* 200^0 nwPq/e\+
* 200^0 QYJeZUo
{ VNLOVGATE=yes }
:0
* VNLOVGATE ?? yes
{
LOG="---=== WORM-LOVGATE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-LovGate
}
#for Frethem
:0BD
* -800^0
* 200^0 OxLRTfB
* 200^0 aHZdo72
* 200^0 KPwdNsG
* 200^0 /OzCsbg
* 200^0 zRhz7Px
{
LOG="---=== WORM-FRETHEM $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Frethem
}
#for LegendMir
:0BD
* -800^0
* 200^0 dQyhOHf
* 200^0 \+bxQKHY
* 200^0 QC/YCLK
* 200^0 A8fdl97
* 200^0 4ZdMDyJ
{
LOG="---=== WORM-LEGENDMIR $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-LegendMir
}
#for Gibe
:0BD
* -800^0
* 200^0 EEAA/yV
* 200^0 uSIRQAD
* 200^0 ChFAABA
* 200^0 ABYAAAB
* 200^0 Z1NldFZ
{
LOG="---=== WORM-GIBE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Gibe
}
#for Hadra
:0BD
* -800^0
* 200^0 Enlyyt4
* 200^0 vxTI370
* 200^0 YzPwft/
* 200^0 AAsOe\+9
* 200^0 vwy4SIB
{
LOG="---=== WORM-HADRA $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Hadra
}
#for Generic
:0BD
* -800^0
* 200^0 QAAdskA
* 200^0 AP8lCBB
* 200^0 EAAAAQA
* 200^0 ///////
* 200^0 AAERGHd
{
LOG="---=== WORM-GENERIC $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Generic
}
#for Scrambler
#Scrambler-a
:0BD
* -800^0
* 200^0 AIPECIt
* 200^0 iUX8g33
* 200^0 /v//UP8
* 200^0 jY24/v/
* 200^0 AOgrNwA
{ VNSCRAMBLER=yes }
#Scrambler-b
:0BD
* -800^0
* 200^0 3vBbu95
* 200^0 mbz7CNF
* 200^0 pfYkclT
* 200^0 YnlhI1Q
* 200^0 BpdPoRp
{ VNSCRAMBLER=yes }
:0
* VNSCRAMBLER ?? yes
{
LOG="---=== WORM-SCRAMBLER $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Scrambler
}
#for Apost
:0BD
* -800^0
* 200^0 ZnBPD2Y
* 200^0 AABWQjU
* 200^0 ZgBFAHg
* 200^0 AGUAYwB
* 200^0 dmJhSHJ
{
LOG="---=== WORM-APOST $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Apost
}
#for CodeGreen.a
:0BD
* -800^0
* 200^0 V4k3g8c
* 200^0 AGoA/5U
* 200^0 WYP4/3Q
* 200^0 AABzb2N
* 200^0 OTAldTk
{
LOG="---=== WORM-CODEGREEN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-CodeGreen
}
#for LastWord
:0BD
* -800^0
* 200^0 ZqzCAWZ
* 200^0 bHQAAJY
* 200^0 CuMiAAA
* 200^0 zACZmf8
* 200^0 AAAACVX
{
LOG="---=== WORM-LASTWORD $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-LastWord
}
#for GOPWorm.153
:0BD
* -800^0
* 200^0 pxvNrb0
* 200^0 mA9QXdN
* 200^0 bUUw4oQ
* 200^0 K8qezQE
* 200^0 AcIuJ1u
{
LOG="---=== WORM-GOPWORM $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-GOPWorm
}
#for TrojanDownloader.Win32.Ultraset
:0BD
* -800^0
* 200^0 agGLyFq
* 200^0 Q0AA/xV
* 200^0 cgsAAIh
* 200^0 wAsAAIl
* 200^0 DAaDxAz
{
LOG="---=== WORM-ULTRASET $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Ultraset
}
#for NetThief
:0BD
* -800^0
* 200^0 9UgwEAZ
* 200^0 i4\+Laz8
* 200^0 zX4He6/
* 200^0 beBX1o\+
* 200^0 8gokJzv
{
LOG="---=== WORM-NETTHIEF $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-NetThief
}
#Worm.P2P.VB.ai
#compressed
:0BD
* -800^0
* 200^0 SMqZ5\+i
* 200^0 s1w2y6R
* 200^0 IM1yQCH
* 200^0 h4Dodon
* 200^0 nhBcBrC
{ VNP2PVBai=yes }
#compressed
:0BD
* -800^0
* 200^0 AOz7BgD
* 200^0 QgAAYEI
* 200^0 wUIAbcF
* 200^0 DPtCAHf
* 200^0 AGp1QwD
{ VNP2PVBai=yes }
:0
* VNP2PVBai ?? yes
{
LOG="---=== WORM-P2P.VB.ai $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-P2PVBai
}
#for Maldal
#Maldal-c
:0BD
* -800^0
* 200^0 pVfy9NU
* 200^0 CAAMDAw
* 200^0 /5kA///
* 200^0 AAAABwA
* 200^0 AACZAAA
{ VNMALDAL=yes }
#Maldal-k
:0BD
* -800^0
* 200^0 CH9wDw9
* 200^0 KDI03fa
* 200^0 rCAjaKR
* 200^0 8pKXQHw
* 200^0 ZICSAaz
{ VNMALDAL=yes }
#Maldal-k-uncompressed
:0BD
* -800^0
* 200^0 iIiIiIg
* 200^0 AAAACP/
* 200^0 AIAAAIA
* 200^0 3wISFgA
* 200^0 ZSBNaWR
{ VNMALDAL=yes }
:0
* VNMALDAL ?? yes
{
LOG="---=== WORM-MALDAL $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Maldal
}
#for Roron
#51
:0BD
* -800^0
* 200^0 voSB4Sm
* 200^0 fpwIPzg
* 200^0 kIXOnm5
* 200^0 6aBIeEX
* 200^0 UTBTx6I
{ VNRORON=yes }
#51-uncompressed
:0BD
* -800^0
* 200^0 FGoBUuj
* 200^0 AIPECIX
* 200^0 99Er\+Yv
* 200^0 aDBxQQB
* 200^0 JgEAjYQ
{ VNRORON=yes }
:0
* VNRORON ?? yes
{
LOG="---=== WORM-RORON $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Roron
}
}
###### END-OF-TVqQAAM-FAMILY ######
#for Sobig.F-bounces
:0BD
* -700^0
* 400^0 ^X-MailScanner: Found to be clean
* 400^0 boundary="_NextPart_000_
* 300^0 ^TVqQAAM
* 300^0 virus
* 300^0 sobig
{
LOG="---=== WORM-SOBIG-BOUNCE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Sobig
}
###### START-OF-TVpQAAI-FAMILY ######
:0BD
* ^TVpQAAI
{
#for SirCam
:0BD
* -800^0
* 200^0 jUTBBIs
* 200^0 fCQIdgS
* 200^0 o4jkQQC
* 200^0 \+///iyw
* 200^0 ZIkhgD1
{
LOG="---=== WORM-SIRCAM $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-SirCam
}
#for Torvil
#Torvil-d
:0BD
* -800^0
* 200^0 vEHrqPw
* 200^0 xC3aYZq
* 200^0 X2ALv2p
* 200^0 RESiQyw
* 200^0 2vhsRIa
{
LOG="---=== WORM-TORVIL $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Torvil
}
#for Elkern
#Elkern-b
:0BD
* -800^0
* 200^0 P\+VR\+9c
* 200^0 6b25uWg
* 200^0 uSmvKqe
* 400^0 qHWNqPQ
{
LOG="---=== WORM-ELKERN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Elkern
}
#for Magistr (xmm.. upgrades..)
:0BD
* -800^0
* 200^0 Luj0///
* 200^0 oVgSQgD
* 200^0 /1AIg8Q
* 200^0 agBT6MD
* 200^0 X13DAAA
{
LOG="---=== WORM-MAGISTR $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Magistr
}
#for Dumaru-a
:0BD
* -800^0
* 200^0 \+Wju6sA
* 200^0 gEzZBBs
* 200^0 L7XUF5A
* 200^0 vB4dxDv
* 200^0 TAEEAOw
{ VNDUMARU=yes }
#for Dumaru-c
:0BD
* -800^0
* 200^0 XQiJA\+5
* 200^0 gEwWKb7
* 200^0 FAQLyXW
* 200^0 DyB/CA\+
* 200^0 JLgD6CH
{ VNDUMARU=yes }
#for Dumaru-g
:0BD
* -800^0
* 200^0 iQPuYGb
* 200^0 KiuETQw
* 200^0 ot1gMg1
* 200^0 tQcrD8H
* 200^0 QbQkuAO
{ VNDUMARU=yes }
:0
* VNDUMARU ?? yes
{
LOG="---=== WORM-DUMARU $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Dumaru
}
#for PWS-LegMir
:0BD
* -800^0
* 200^0 ChLjx\+I
* 200^0 i/SLBXj
* 200^0 GqlF2CA
* 200^0 hQMdg7j
* 200^0 8McHMRi
{ VNLEGMIR=yes }
#decompressed
:0BD
* -800^0
* 200^0 i8Pot//
* 200^0 ACv7V1P
* 200^0 aMDlQAD
* 200^0 oRjmQAC
* 200^0 6yaLy4X
{ VNLEGMIR=yes }
:0
* VNLEGMIR ?? yes
{
LOG="---=== WORM-LEGMIR $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-LegMir
}
#for MTX
:0BD
* -800^0
* 200^0 FDJAAP8
* 200^0 dAEAADP
* 200^0 Aw\+ESAE
* 200^0 YW1lPSI
* 200^0 ZXJkYXk
{
LOG="---=== WORM-MTX $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-MTX
}
#for Blebla or SysClock (not aka)
:0BD
* -800^0
#both
* 200^0 A7ABXlv
* 200^0 AACB5gD
#Blebla
* 200^0 PeBAAAB
#SysClock
* 200^0 PSBBAAB
#both
* 200^0 iXAIgf4
* 200^0 A8H4Aos
{
LOG="---=== WORM-BLEBLA $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Blebla
}
#for Happy
:0BD
* -800^0
* 200^0 AIs97w5
* 200^0 BaIOQgB
* 200^0 AIBu/gF
* 200^0 ///////
* 200^0 BpuNlhc
{
LOG="---=== WORM-HAPPY $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Happy
}
#for Opasoft-a,d
:0BD
* -800^0
* 200^0 AGoQa(HV|IR)
* 200^0 uP////9
* 200^0 5bj////
* 200^0 7gBQZsd
#Opasoft-a
* 200^0 9D1/AAA
#Opasoft-d
* 200^0 UOjQLwA
{
LOG="---=== WORM-OPASOFT $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Opasoft
}
#for PrettyPark
:0BD
* -800^0
* 200^0 lBZdKuu
* 200^0 FRjW9x\+
* 200^0 NdbUAVL
* 200^0 yAD/0G4
* 200^0 msWiAPA
{ VNPRETTYPARK=yes }
#some uncompressed variant
:0BD
* -800^0
* 200^0 A8oD7Oj
* 200^0 wRJ0UIt
* 200^0 x/gOg84
* 200^0 CZ5ICGr
* 200^0 PEiIB8Y
{ VNPRETTYPARK=yes }
:0
* VNPRETTYPARK ?? yes
{
LOG="---=== WORM-PRETTYPARK $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-PrettyPark
}
#for IISWorm
:0BD
* -800^0
* 200^0 6CNaAAB
* 200^0 RQz88q5
* 200^0 AHUBSGS
* 200^0 3UUAAGS
* 200^0 Q0ZQ6Hf
{
LOG="---=== WORM-IISWORM $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-IISWorm
}
#for Sharpei.a
:0BD
* -800^0
* 200^0 iAAAAIv
* 200^0 dCBtYWt
* 200^0 cnNpb24
* 200^0 ACAAawA
* 200^0 dGUAU2V
{
LOG="---=== WORM-SHARPEI $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Sharpei
}
#for Heyya.b
:0BD
* -800^0
* 200^0 vjKIRAB
* 200^0 xofi2UA
* 200^0 6hZAAOg
* 200^0 MwAAamR
* 200^0 dWVuemF
{
LOG="---=== WORM-HEYYA $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Heyya
}
#for Ganda
:0BD
* -800^0
* 200^0 oEAAjT1
* 200^0 ECcAAGj
* 200^0 AP8145R
* 200^0 SMHgBYP
* 200^0 AOibBAA
{
LOG="---=== WORM-GANDA $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Ganda
}
#for Icecubes
:0BD
* -800^0
#Icecubes-a
* 200^0 AFChCzx
* 200^0 MItNKIl
* 200^0 AOiI///
* 200^0 A0YMLW0
* 200^0 //\+D\+AA
{
LOG="---=== WORM-ICECUBES $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Icecubes
}
#for Energy
:0BD
* -800^0
#Energy-a
* 200^0 LCF\+amA
* 200^0 4Z5EEkX
* 200^0 Xs\+bVnx
* 200^0 /80esdu
* 200^0 w4ySLg9
{
LOG="---=== WORM-ENERGY $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Energy
}
}
###### END-OF-TVpQAAI-FAMILY ######
###### START-OF-TVpsAAE-FAMILY ######
:0BD
* ^TVpsAAE
{
#for FunnyPics
:0BD
* -800^0
* 200^0 aWxsQmF
* 200^0 /3X06L0
* 200^0 PAF0CIP
* 200^0 cFIAAHp
* 200^0 Q29tbWF
{
LOG="---=== WORM-FUNNYPICS $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-FunnyPics
}
#for Trood
:0BD
* -800^0
* 200^0 6Yr\+//9
* 200^0 AFBZXuj
* 200^0 QACLDVg
* 200^0 AABJLVd
* 200^0 QAD/Jeh
{
LOG="---=== WORM-TROOD $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Trood
}
}
###### END-OF-TVpsAAE-FAMILY ######
###### START-OF-SVRTRgM-FAMILY ######
:0BD
* ^SVRTRgM
{
#for Brit
#Brit
:0BD
* -800^0
* 400^0 JyaXRuZX
* 200^0 L1RyYW5
* 200^0 YcR4Zy8
* 200^0 YZe9JUh
{ VNBRIT=yes }
#Brit-d
:0BD
* -800^0
* 400^0 JyaXRuZX
* 200^0 UV86KO6
* 200^0 vizHnV8
* 200^0 NRd\+6wN
{ VNBRIT=yes }
#Brit-h
:0BD
* -800^0
* 200^0 yWfUfsz
* 200^0 Wob4L\+Y
* 200^0 Sf/SWMh
* 200^0 yRGhgd3
* 200^0 xlLW/PZ
{ VNBRIT=yes }
#Brit-c
:0BD
* -800^0
* 400^0 NIQUtJUk
* 200^0 F5fz68l
* 200^0 oEiP4kk
* 200^0 rPJ9vjy
{ VNBRIT=yes }
#Brit-b
:0BD
* -800^0
* 400^0 NBSUZBTkV
* 200^0 Sxn5Ang
* 200^0 TCZ/0VX
* 200^0 WCV3cE+
{ VNBRIT=yes }
:0
* VNBRIT ?? yes
{
LOG="---=== WORM-BRIT $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Brit
}
}
###### END-OF-SVRTRgM-FAMILY ######
###### START-OF-TVoAAAE-FAMILY ######
:0BD
* ^TVoAAAE
{
#Bagle.I
:0BD
* -800^0
* 200^0 cBArwl7
* 200^0 T6qQLX1
* 200^0 kEHYDvg
* 200^0 QPs9eI/
* 200^0 TcNTYw0
{ VNBAGLE=yes }
#decompressed
:0BD
* -800^0
* 200^0 dQiLfQy
* 200^0 wsnCCAB
* 200^0 Zo9Flmb
* 200^0 RdJQ6Kj
* 200^0 i8NbycN
{ VNBAGLE=yes }
#Bagle.J
:0BD
* -800^0
* 200^0 cBArwl7
* 200^0 T9nSl6W
* 200^0 wL2asE4
* 200^0 cRIp536
* 200^0 PIE9oBn
{ VNBAGLE=yes }
#Bagle.N
:0BD
* -800^0
* 200^0 97s7t7W
* 200^0 RiBkFyn
* 200^0 GaQor/M
* 200^0 Ch92ZAu
* 200^0 FI3zFEM
{ VNBAGLE=yes }
#Bagle.Z
:0BD
* -800^0
* 200^0 jvSqkJQ
* 200^0 MR0Hjgo
* 200^0 dvxEIww
* 200^0 JvsESvu
* 200^0 GZLKYyR
{ VNBAGLE=yes }
:0
* VNBAGLE ?? yes
{
LOG="---=== WORM-BAGLE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bagle
}
}
###### END-OF-TVoAAAE-FAMILY ######
#NetSky.d
:0BD
* -1000^0
* 200^0 ^TVoAACQ
* 200^0 kxAVw4E
* 200^0 jyHppNc
* 200^0 TER/Nyz
* 200^0 qECfj\+4
* 200^0 rOEy\+xn
{
LOG="---=== WORM-MOODOWN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Moodown
}
#for Tanatos aka BugBear (data files and leftovers)
:0BD
* -1000^0
* 200^0 ^qNaGJAD
* 200^0 \+4JY8\+P
* 200^0 6\+UYghj
* 200^0 68n1Ghj
* 200^0 YqjWZmB
* 200^0 ghTr7RQ
{
LOG="---=== WORM-BUGBEAR-TANATOS $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bugbear
}
#for Mawanella
:0BD
* -1000^0
* 500^0 ^T24gRXJ
* 250^0 bnQKICB
* 250^0 ICAgICA
* 200^0 ZyAmICJ
* 500^0 [mM]awanella
* 600^0 dirsystem&"\\Mawanella.vbs"
{
LOG="---=== WORM-MAWANELLA $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Mawanella
}
#for Aliz
:0BD
* -1000^0
* 300^0 ^TVoAAAI
* 300^0 Z48GGVZ
* 300^0 kZ8x\+Ak
* 300^0 QCCZAWJ
{
LOG="---=== WORM-ALIZ $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Aliz
}
#for EICAR-AV-TEST file (www.eicar.com)
:0BD
* -1000^0
* 1100^0 ^WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9J
* 1100^0 ^X5O\!P\%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$
{
LOG="---=== EICAR TEST NOT A VIRUS $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-EICAR-AV-TEST
}
#for anything with MS-executable attachment that contains iframe
:0B
* -1000^0
* 500^0 ()<iframe
* 600^0 iframe>
{
LOG="---=== IFRAME-EXPLOIT $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: IFRAME"
:0:
$VIRDIR/virus-Exploit-IFrame
}
#for anything left with MS-executable
:0
{
LOG="---=== COULD-BE-WORM $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: MS-EXEC"
:0fhw
* YAVRWARNEXE ?? ON
| formail -i "Subject: WARNING-MS-EXEC-$SUB"
:0:
* YAVRQUARANTEXE ?? ON
$VIRDIR/virus-could-be
}
}
#####################################END-OF-SIGNATURE-BASED
###########################################################
# for e-worms signature-based-2
###########################################################
:0HB
* < 150000
* ^Content-Type[ ]*:.*(application|audio|multipart|mixed|alternative|partial)
* name[ ]*[*]?[ ]*=.*\.[ ]*(zip|rar|bat|pif|cmd|vb[as]|scr|lnk|com|exe|chm|\{[-0-9a-f]+\})(\.....?)?"?[ ]*$
* ^Content-Transfer-Encoding[ ]*:.*(base64|quoted-printable|7bit)
{
#for NetSky.r
:0BD
* -1000^0
* 200^0 a$?^?W$?^?5$?^?0$?^?Z$?^?k$?^?E
* 200^0 l$?^?8$?^?G$?^?j$?^?Z$?^?n$?^?h
* 200^0 Q$?^?2$?^?J$?^?i$?^?U$?^?1$?^?o
* 200^0 f$?^?3$?^?9$?^?/$?^?f$?^?3$?^?f
* 200^0 3$?^?v$?^?r$?^?G$?^?M$?^?s$?^?Q
* 200^0 O$?^?s$?^?G$?^?R$?^?F$?^?c$?^?H
{ VNMOODOWN=yes }
:0
* VNMOODOWN ?? yes
{
LOG="---=== WORM-MOODOWN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Moodown
}
}
###################################END-OF-SIGNATURE-BASED-2
# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.
###########################################################
# for e-worms signature-based (compressed files only)
###########################################################
:0HB
* ^Content-Type[ ]*:.*(application|audio|multipart|mixed|alternative|partial|x-zip-compressed)
* name[ ]*.?[ ]*=.*\.[ ]*(zip|rar)(\.....?)?"?[ ]*$
* ^Content-Transfer-Encoding[ ]*:.*(base64|quoted-printable|7bit)
{
###### START-OF-UEsDBAo-FAMILY ######
:0BD
* ^UEsDBAo
{
#for Mimail
#Mimail.A
:0BD
* -800^0
* 200^0 DYlD/It
* 200^0 ImigfkV
* 200^0 Bls0lhq
* 200^0 pNmBThr
* 200^0 JhZCsNz
{ VNMIMAIL=yes }
#Mimail.C
:0BD
* -800^0
* 200^0 t\+veDgy
* 200^0 /2u5sw3
* 200^0 zfTsPcV
* 200^0 TpwlV8i
* 200^0 7LJjzHw
{ VNMIMAIL=yes }
#Mimail.E
:0BD
* -800^0
* 200^0 Krfr3g4
* 200^0 hfDH/2u
* 200^0 StzN9KS
* 200^0 oqYVMiS
* 200^0 nVADbAw
{ VNMIMAIL=yes }
#Mimail.F
:0BD
* -800^0
* 200^0 Krfr3g4
* 200^0 /2tsw77
* 200^0 bGZ7LOw
* 200^0 oqZOnEu
* 200^0 nAwYfDR
{ VNMIMAIL=yes }
#Mimail.G
:0BD
* -800^0
* 200^0 Krfr3g4
* 200^0 8Mf/a7n
* 200^0 zfTS2cz
* 200^0 ZWamTpy
* 200^0 P2DP6xh
{ VNMIMAIL=yes }
#Mimail.dam
:0BD
* -800^0
* 500^0 c$?^?m$?^?V$?^?h$?^?Z$?^?G$?^?5$?^?v$?^?d$?^?y$?^?5$?^?k$?^?b$?^?2$?^?M$?^?u$?^?c$?^?2$?^?N$?^?y$?^?U$?^?E$?^?s$?^?B$?^?A$?^?h$?^?Q$?^?A$?^?C$?^?g
* 500^0 H$?^?J$?^?l$?^?Y$?^?W$?^?R$?^?u$?^?b$?^?3$?^?c$?^?u$?^?Z$?^?G$?^?9$?^?j$?^?L$?^?n$?^?N$?^?j$?^?c$?^?l$?^?B$?^?L$?^?B$?^?Q$?^?Y
{ VNMIMAIL=yes }
:0
* VNMIMAIL ?? yes
{
LOG="---=== WORM-MIMAIL $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Mimail
}
#for Novarg.zip
#file.zip
:0BD
* -800^0
* 200^0 5VHAMqc
* 200^0 iMKn1T\+
* 200^0 kbq3P7m
* 200^0 87Gv\+ba
* 200^0 /G7XQ7I
{ VNNOVARG=yes }
#document.zip
:0BD
* -800^0
* 200^0 U7MafOV
* 200^0 CQLWLoj
* 200^0 XM3X35G
* 200^0 raBmyvO
* 200^0 CP//W/x
{ VNNOVARG=yes }
#message.zip
:0BD
* -800^0
* 200^0 sxp85VH
* 200^0 AtYuiMK
* 200^0 zdffkbq
* 200^0 oGbK87G
* 200^0 //9b/G7
{ VNNOVARG=yes }
#readme.zip
:0BD
* -800^0
* 200^0 GnzlUcA
* 200^0 1i6Iwqf
* 200^0 19\+Rurc
* 200^0 Zsrzsa/
* 200^0 /1v8btd
{ VNNOVARG=yes }
#doc.zip
:0BD
* -800^0
* 200^0 UcAypx\+
* 200^0 wqfVP4p
* 200^0 urc/uZp
* 200^0 sa/5tpQ
* 200^0 btdDsiS
{ VNNOVARG=yes }
#body.zip
:0BD
* -800^0
* 200^0 NHmh3Bp
* 200^0 XmBJcvX
* 200^0 //4dwgw
* 200^0 f1HJaHm
* 200^0 JluTzgx
{ VNNOVARG=yes }
#doc.zip
:0BD
* -800^0
* 200^0 aVqmSkq
* 200^0 gxQA14C
* 200^0 RNu1qDg
* 200^0 9gC2PWw
* 200^0 AVxmJQG
{ VNNOVARG=yes }
#body.zip
:0BD
* -800^0
* 200^0 fgInOAe
* 200^0 fVIyfgC
* 200^0 PwCqwm7
* 200^0 nOZ\+kwK
* 200^0 lr0AFQa
{ VNNOVARG=yes }
#another zip
:0BD
* -800^0
* 200^0 cwAAgAA
* 200^0 pABJUX4
* 200^0 a/P6HX1
* 200^0 r7kEGj8
* 200^0 8m73Cpz
{ VNNOVARG=yes }
#another zip
:0BD
* -800^0
* 200^0 Spp\+aUK
* 200^0 gJrXXRK
* 200^0 OACeMCa
* 200^0 bDmjZKS
* 200^0 AbhW4ZL
{ VNNOVARG=yes }
#MyDoom.e
:0BD
* -800^0
* 200^0 1xZYneU
* 200^0 jA2uWpc
* 200^0 2QeP4pz
* 200^0 8W2ey1T
* 200^0 4mnpjVI
{ VNNOVARG=yes }
#MyDoom.e
:0BD
* -800^0
* 200^0 B1Cg8UX
* 200^0 leFkBUR
* 200^0 h/6B3aL
* 200^0 wsdsvqR
* 200^0 oPm6Kvf
{ VNNOVARG=yes }
#MyDoom.e
:0BD
* -800^0
* 200^0 oPFF//8
* 200^0 ZAVEU5X
* 200^0 gd2i//\+
* 200^0 bL6kQ\+/
* 200^0 uir38IJ
{ VNNOVARG=yes }
#MyDoom.g
:0BD
* -800^0
* 200^0 771msNA
* 200^0 CG1jBlZ
* 200^0 EWd6bnZ
* 200^0 RkI0XFc
* 200^0 96dZDcN
{ VNNOVARG=yes }
#generic signature just to be sure
:0BD
* -800^0
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?2$?^?d$?^?y$?^?g$?^?J$?^?G$?^?l$?^?A$?^?L$?^?b$?^?z$?^?E$?^?z$?^?p$?^?c$?^?h$?^?b$?^?H$?^?g$?^?E$?^?k$?^?d$?^?/$?^?u$?^?v$?^?g$?^?5$?^?f$?^?c$?^?Q$?^?O$?^?W$?^?6$?^?v$?^?\+$?^?V$?^?K$?^?0$?^?J$?^?a$?^?M$?^?o$?^?v
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?i$?^?\+$?^?d$?^?G$?^?q$?^?A$?^?1$?^?1$?^?4$?^?E$?^?6$?^?/$?^?c$?^?6$?^?o$?^?k$?^?Q$?^?X$?^?T$?^?0$?^?c$?^?o$?^?E$?^?/$?^?P$?^?0$?^?J$?^?I$?^?U$?^?U$?^?1$?^?s$?^?f$?^?p$?^?P$?^?L$?^?x$?^?u$?^?Q$?^?F$?^?K$?^?1$?^?D
* 900^0 /$?^?/$?^?/$?^?/$?^?\+$?^?u$?^?t$?^?8$?^?P$?^?S$?^?5$?^?P$?^?k$?^?R$?^?L$?^?E$?^?p$?^?r$?^?j$?^?7$?^?b$?^?g$?^?D$?^?T$?^?1$?^?w$?^?p$?^?t$?^?8$?^?b$?^?W$?^?p$?^?z$?^?h$?^?K$?^?X$?^?T$?^?C$?^?E$?^?2$?^?e$?^?\+$?^?G$?^?H$?^?X$?^?V$?^?O$?^?P
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?/$?^?d$?^?a$?^?w$?^?C$?^?m$?^?V$?^?B$?^?H$?^?b$?^?r$?^?Y$?^?9$?^?5$?^?c$?^?3$?^?W$?^?H$?^?o$?^?c$?^?v$?^?\+$?^?P$?^?I$?^?r$?^?h$?^?R$?^?7$?^?Y$?^?w$?^?u$?^?0$?^?3$?^?s$?^?m$?^?1$?^?A$?^?0$?^?5$?^?8$?^?K$?^?p$?^?n
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?/$?^?3$?^?W$?^?s$?^?A$?^?p$?^?l$?^?Q$?^?R$?^?2$?^?6$?^?2$?^?P$?^?e$?^?X$?^?N$?^?1$?^?h$?^?6$?^?H$?^?L$?^?/$?^?j$?^?y$?^?K$?^?4$?^?U$?^?e$?^?2$?^?M$?^?L$?^?t$?^?N$?^?7$?^?J$?^?t$?^?Q$?^?N$?^?O$?^?f$?^?C$?^?q$?^?Z
* 900^0 /$?^?/$?^?/$?^?/$?^?/$?^?J$?^?\+$?^?q$?^?w$?^?e$?^?U$?^?U$?^?U$?^?5$?^?r$?^?u$?^?T$?^?b$?^?k$?^?w$?^?t$?^?E$?^?f$?^?j$?^?i$?^?z$?^?7$?^?\+$?^?y$?^?q$?^?K$?^?G$?^?d$?^?n$?^?J$?^?6$?^?j$?^?q$?^?7$?^?b$?^?E$?^?1$?^?e$?^?k$?^?A$?^?G$?^?j$?^?f
* 900^0 /$?^?/$?^?/$?^?/$?^?E$?^?8$?^?B$?^?J$?^?d$?^?f$?^?a$?^?D$?^?8$?^?P$?^?8$?^?7$?^?R$?^?C$?^?Q$?^?E$?^?g$?^?9$?^?U$?^?B$?^?O$?^?0$?^?Q$?^?k$?^?C$?^?I$?^?P$?^?V$?^?A$?^?I$?^?k$?^?E$?^?J$?^?O$?^?h$?^?X
{ VNNOVARG=yes }
:0
* VNNOVARG ?? yes
{
LOG="---=== WORM-NOVARG $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Novarg
}
#for Moodown
:0BD
* -800^0
* 200^0 DQjrBGo
* 200^0 F5buQ6y
* 200^0 6IjshKS
* 200^0 staF6ga
* 200^0 /YB8Nct
{ VNMOODOWN=yes }
#another zip
:0BD
* -800^0
* 200^0 lu5DrKA
* 200^0 iOyEpID
* 200^0 1oXqBrG
* 200^0 gHw1y12
* 200^0 gLuf3uL
{ VNMOODOWN=yes }
#another zip
:0BD
* -800^0
* 200^0 \+xeW7kO
* 200^0 jOiI7IS
* 200^0 kLLWheo
* 200^0 1P2AfDX
* 200^0 7NSAu5/
{ VNMOODOWN=yes }
#another zip
:0BD
* -800^0
* 200^0 rKAUal9
* 200^0 pIDkyJE
* 200^0 BrG2wQw
* 200^0 y12NBHW
* 200^0 3uLJ4gJ
{ VNMOODOWN=yes }
#another zip
:0BD
* -800^0
* 200^0 6wRqNf/
* 200^0 7kOsoBR
* 200^0 7ISkgOT
* 200^0 heoGsbb
* 200^0 fDXLXY0
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 DRQKlm8
* 200^0 TTv3Wth
* 200^0 yMu/KXS
* 200^0 zRGz90g
* 200^0 MzTvkTE
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 0A0UCpZ
* 200^0 \+k0791r
* 200^0 hMjLvyl
* 200^0 q80Rs/d
* 200^0 5DM075E
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 nlUKFLk
* 200^0 BpLFc5j
* 200^0 Ld6FjK7
* 200^0 Dacg\+6G
* 200^0 \+hxFERp
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 CkzQI2F
* 200^0 Ko7KySg
* 200^0 VSMSscE
* 200^0 fBAGDco
* 200^0 6PFl5S2
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 FLkN0A0
* 200^0 c5jM\+k0
* 200^0 jK7QhMj
* 200^0 \+6GMq80
* 200^0 ERpJ5DM
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 uQ3QDRQ
* 200^0 mMz6TTv
* 200^0 rtCEyMu
* 200^0 oYyrzRG
* 200^0 GknkMzT
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 giOeVQo
* 200^0 lL0GksV
* 200^0 vDgt3oW
* 200^0 wUkNpyD
* 200^0 jYP6HEU
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 oMl9u5V
* 200^0 JXJ\+Dop
* 200^0 XywgXHw
* 200^0 BwxCcet
* 200^0 nMoYFDJ
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 ajX/1yI
* 200^0 iXAicu4
* 200^0 sAQL1oP
* 200^0 Bz2QVEm
* 200^0 OLA0IBf
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 O8Z0Bma
* 200^0 n4vY4wh
* 200^0 Dd5FcAG
* 200^0 WTvDWbz
* 200^0 QLZwoxs
{ VNMOODOWN=yes }
#Netsky.d
:0BD
* -800^0
* 200^0 kxAVw4E
* 200^0 jyHppNc
* 200^0 TER/Nyz
* 200^0 qECfj\+4
* 200^0 rOEy\+xn
{ VNMOODOWN=yes }
#Netsky.d
:0BD
* -800^0
* 200^0 iwQk/Yv
* 200^0 wtKGp6z
* 200^0 vi5sXtq
* 200^0 eV1Xkor
* 200^0 5bLDS9r
{ VNMOODOWN=yes }
#Netsky.j
:0BD
* -800^0
* 200^0 f0WP3bU
* 200^0 awW/yBV
* 200^0 BXSVCNQ
* 200^0 9BqNuGa
* 200^0 qflP54t
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 QWRkcmV
* 200^0 X4G3M5d
* 200^0 jjTIi12
* 200^0 Z/\+xmRH
* 200^0 benBLNN
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 hKLw/v9
* 200^0 9S/Ji25
* 200^0 02A582H
* 200^0 AWHPacb
* 200^0 25XelF2
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 xvpn0QJ
* 200^0 Xa60IWe
* 200^0 3I7cj5U
* 200^0 KP3GXoG
* 200^0 6hyZZ0f
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 QWRkcmV
* 200^0 X4G3M5d
* 200^0 jjTIi12
* 200^0 Z/\+xmRH
* 200^0 f39/f3f
{ VNMOODOWN=yes }
#Netsky.q
:0BD
* -800^0
* 200^0 /1dV/1M
* 200^0 bn\+ELN7
* 200^0 YcVCsDI
* 200^0 xvpn0QJ
* 200^0 Xa60IWe
{ VNMOODOWN=yes }
#Netsky.r
:0BD
* -800^0
* 200^0 a$?^?W$?^?5$?^?0$?^?Z$?^?k$?^?E
* 200^0 l$?^?8$?^?G$?^?j$?^?Z$?^?n$?^?h
* 200^0 Q$?^?2$?^?J$?^?i$?^?U$?^?1$?^?o
* 200^0 f$?^?3$?^?9$?^?/$?^?f$?^?3$?^?f
* 200^0 3$?^?v$?^?r$?^?G$?^?M$?^?s$?^?Q
* 200^0 H$?^?i$?^?X$?^?/$?^?T$?^?S$?^?F
* 200^0 K$?^?Z$?^?J$?^?z$?^?T$?^?n$?^?C
* 200^0 f$?^?3$?^?9$?^?/$?^?f$?^?3$?^?f
* 200^0 3$?^?v$?^?r$?^?G$?^?M$?^?s$?^?Q
{ VNMOODOWN=yes }
#Netsky.r
:0BD
* -800^0
* 200^0 ogAAOKI
* 200^0 0bagiBw
* 200^0 mmBIoKz
* 200^0 Xag4k/y
* 200^0 /NPCCu1
{ VNMOODOWN=yes }
#Netsky.r
:0BD
* -800^0
* 200^0 iBwiDWF
* 200^0 oKz1BN\+
* 200^0 //////\+
* 200^0 k/yfntw
* 200^0 Cu1oVYL
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 6wRqNf/
* 200^0 \+JKJcCJ
* 200^0 4gSwBAv
* 200^0 QF4HPZB
* 200^0 uwQ4sDQ
{ VNMOODOWN=yes }
#Netsky.c
:0BD
* -800^0
* 200^0 ZotACOs
* 200^0 CEtLefi
* 200^0 AYPiXOI
* 200^0 vNAuF0B
* 200^0 GzDrS7s
{ VNMOODOWN=yes }
#Netsky.r
:0BD
* -800^0
* 200^0 ogAAAAA
* 200^0 HCINYWE
* 200^0 rPUE37p
* 200^0 /////4A
* 200^0 /J\+e3D7
{ VNMOODOWN=yes }
#Netsky.gen
:0BD
* -800^0
* 200^0 4ItRz3o
* 200^0 R175C/c
* 200^0 pU9XKaF
* 200^0 NVGc8Hg
* 200^0 X7JosSm
{ VNMOODOWN=yes }
#Netsky.b
:0BD
* -800^0
* 200^0 BmZtb\+3
* 200^0 aLBcQQD
* 200^0 R44cOeS
* 200^0 WTZjsNK
* 200^0 bBDZYL/
{ VNMOODOWN=yes }
#Netsky.Y
:0BD
* -800^0
* 200^0 TaOQJsm
* 200^0 gRE8CnT
* 200^0 kgPIHyi
* 200^0 0AHEDHY
* 200^0 EIHCX7I
{ VNMOODOWN=yes }
#Netsky.X
:0BD
* -800^0
* 200^0 p2yr7NI
* 200^0 dfJPtnR
* 200^0 BJBUfM1
* 200^0 YjsD89C
* 200^0 MbZ\+TW5
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 UMQiaNP
* 200^0 8TPzDAj
* 200^0 mJBxAY1
* 200^0 i3UJJ8m
* 200^0 OzI040u
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 YSPoUHI
* 200^0 MxoYGCM
* 200^0 sARsEcO
* 200^0 HZSd7p8
* 200^0 zBzs0Ho
{ VNMOODOWN=yes }
#Netsky.r
:0BD
* -800^0
* 200^0 txwDGBG
* 200^0 sbzwN34
* 200^0 hLsIW7x
* 200^0 Dt9ZvYK
* 200^0 QkkCxKA
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 J1DEImj
* 200^0 E/Ez8ww
* 200^0 mJiQcQG
* 200^0 Eot1CSf
* 200^0 GDsyNON
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 cidQxCJ
* 200^0 IxPxM/M
* 200^0 w5iYkHE
* 200^0 nxKLdQk
* 200^0 ehg7MjT
{ VNMOODOWN=yes }
#Netsky.x
:0BD
* -800^0
* 200^0 D/c2OLc
* 200^0 IHiPh6O
* 200^0 M5mLo\+6
* 200^0 ye\+22ga
* 200^0 rg8X7ov
{ VNMOODOWN=yes }
#Netsky.aa
:0BD
* -800^0
* 200^0 ImjT0os
* 200^0 8wwIwev
* 200^0 cQGNZg/
* 200^0 CSfJi9d
* 200^0 NONLpQG
{ VNMOODOWN=yes }
#Netsky.ac
:0BD
* -800^0
* 200^0 XbBND40
* 200^0 df2XViE
* 200^0 AQB0HIs
* 200^0 3sfEGBA
* 200^0 3G78aYt
{ VNMOODOWN=yes }
:0
* VNMOODOWN ?? yes
{
LOG="---=== WORM-MOODOWN $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Moodown
}
#for I-Worm.Bagle
#Bagle.E
:0BD
* -800^0
* 200^0 \+AgKqqp
* 200^0 0nUFihZ
* 200^0 XmD0XkB
* 200^0 aUNfJTZ
* 200^0 dhOlB54
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 zY7z1nK
* 200^0 fNpjBDB
* 200^0 HEMrppP
* 200^0 IYMLkRs
* 200^0 ccJqzOl
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 fiHRsAx
* 200^0 mqd3SiC
* 200^0 m8hIBvZ
* 200^0 bUlG5uh
* 200^0 8L30tko
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 PRQdwpg
* 200^0 Bo4cX3q
* 200^0 7Zr4R3f
* 200^0 oeXDLID
* 200^0 g3Bx52y
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 7uLLdrZ
* 200^0 vbQ4z/I
* 200^0 3oSZTRw
* 200^0 znUL56g
* 200^0 nRtMNts
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 S5/wIO1
* 200^0 RnC8Czv
* 200^0 C9n75h8
* 200^0 Ch/Mjkz
* 200^0 D1xjJgo
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 Zgl61pA
* 200^0 oakZlRP
* 200^0 s1rmz6A
* 200^0 uLvPKpZ
* 200^0 GgnAlZk
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 Ct6He/h
* 200^0 0PeH70e
* 200^0 yy/aQZj
* 200^0 jucQQIj
* 200^0 hyHuYNg
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 m195aIs
* 200^0 uQKUk03
* 200^0 \+1HYKwQ
* 200^0 1QdFx9w
* 200^0 nmx81FV
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 UirBJXK
* 200^0 5HyBm3U
* 200^0 FUzSZL8
* 200^0 DQjYF1g
* 200^0 6M2DbpQ
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 Wb7yNvs
* 200^0 GTWWy\+f
* 200^0 tlbOvFz
* 200^0 t0Z//Ct
* 200^0 UwJo1\+\+
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 BuUWWzF
* 200^0 fPD9kbz
* 200^0 kbRa6Qb
* 200^0 2BZUiOH
* 200^0 LxT/bXg
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 MJ7pViW
* 200^0 VXwfT7z
* 200^0 pibNicQ
* 200^0 eGK2v1W
* 200^0 uRbUXBO
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 H5ve9Rt
* 200^0 XlcZNnb
* 200^0 82b2HAx
* 200^0 /QU5Lge
* 200^0 AB6ihW/
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 fTfdh1K
* 200^0 dfEpPpK
* 200^0 \+sVTVrZ
* 200^0 0/YE2d0
* 200^0 tVEiLDT
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 7aw0mcV
* 200^0 1QGPdD8
* 200^0 eLFlA9d
* 200^0 VV\+LLeP
* 200^0 aPR\+O\+V
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 WAnhIpJ
* 200^0 aEnBuc7
* 200^0 Jc4QZVX
* 200^0 HXkLuyX
* 200^0 9AbuoRG
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 c7GNmx1
* 200^0 solfLAf
* 200^0 F3oOlxn
* 200^0 67Y9uza
* 200^0 \+udAwCH
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 65DYJca
* 200^0 RX3BWL7
* 200^0 ffLIfof
* 200^0 rRtiJB4
* 200^0 PKN/Znv
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 1LX2e6p
* 200^0 1PRoA6q
* 200^0 gKZ9INU
* 200^0 ttsEwjW
* 200^0 Z/yf5rr
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 l9PqHVb
* 200^0 PXk44UM
* 200^0 k4U4sC3
* 200^0 S8xIc75
* 200^0 FQ6F3rS
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 IT6hIeM
* 200^0 BFsthYr
* 200^0 2nO9Ev6
* 200^0 YbWO/VQ
* 200^0 DPkJlhF
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 NmgvMvh
* 200^0 cKKmyPo
* 200^0 vcXTkgu
* 200^0 J1hrDxg
* 200^0 7\+okkok
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 xlY/4IB
* 200^0 DS7AzeG
* 200^0 hMXEiiI
* 200^0 gNSpq41
* 200^0 QK//lG0
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 kWxk0Ql
* 200^0 TzSirea
* 200^0 Oysmf4w
* 200^0 wellxlZ
* 200^0 rnXsyMB
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 Tsm0z\+s
* 200^0 An/EVbL
* 200^0 owfcltF
* 200^0 tWFzCpm
* 200^0 si9/gSn
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 15HjUSM
* 200^0 jmE5PVW
* 200^0 d4vmczO
* 200^0 nglXqfk
* 200^0 f94Wiwe
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 9pyh3dz
* 200^0 vQJuixX
* 200^0 1nSonlV
* 200^0 y55v7tJ
* 200^0 FOPQegZ
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 t8VHAUu
* 200^0 MbDo1ky
* 200^0 LNCDMG8
* 200^0 UuzWs9j
* 200^0 5YjrYWX
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 ZaQpMtV
* 200^0 flz1xT6
* 200^0 XZYDN/m
* 200^0 RvMs017
* 200^0 lI9E\+a\+
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 DyPLYLd
* 200^0 j7xPYQG
* 200^0 MOd79tD
* 200^0 dFtLFPx
* 200^0 x8RjIbT
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 ZUYNOim
* 200^0 BrPp6n1
* 200^0 RsLy0nD
* 200^0 nswz\+u5
* 200^0 cP4axDy
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 NeiWq7U
* 200^0 y6ZI/TF
* 200^0 kMj8l8I
* 200^0 jMI1bpB
* 200^0 uuxjIbq
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 mSFqQeU
* 200^0 r5pG4NF
* 200^0 5nw9SIE
* 200^0 DtfppML
* 200^0 VWgsCXC
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 NtBJaTg
* 200^0 kQ7CUQ2
* 200^0 NZf1HRe
* 200^0 nwljrKu
* 200^0 oDLjsFW
{ VNBAGLE=yes }
:0
* VNBAGLE ?? yes
{
LOG="---=== WORM-BAGLE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bagle
}
#for Dumaru-k
:0BD
* -800^0
* 200^0 yrsA6tO
* 200^0 8P7\+kXF
* 200^0 V1lHf2F
* 200^0 6YkYBCS
* 200^0 6hGL2bp
{
LOG="---=== WORM-DUMARU $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Dumaru
}
#Sober-d
:0BD
* -800^0
* 200^0 oK5VWqe
* 200^0 FiqzIwM
* 200^0 Aw0B2pr
* 200^0 GWTZdAO
* 200^0 twwAqgD
{ VNSOBER=yes }
:0
* VNSOBER ?? yes
{
LOG="---=== WORM-SOBER $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Sober
}
###################generic for some worm zip files
###################based on an idea of Mike Elliott
:0BD
* -800^0
* 900^0 I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g$?^?I$?^?C$?^?A$?^?g
{
LOG="---=== COULD-BE-WORM $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0fhw
* YAVRWARNEXE ?? ON
| formail -i "Subject: WARNING-MS-EXEC-$SUB"
:0:
* YAVRQUARANTEXE ?? ON
$VIRDIR/virus-could-be
}
###################
}
###### END-OF-UEsDBAo-FAMILY ######
#####################################
#generic password protected Bagle.J
:0HBD
* > 10000
* < 25000
* -1000^0
* 300^0 ^Subject[ ]*:.*(Notify( )*about( )*using( )*the( )*e-mail( )*account|(E-mail|Email)( )*account( )*(security|disabling|utilization)( )*warning|\
Important( )*notify( )*about( )*your( )*e-mail( )*account|Notify( )*about( )*your( )*e-mail( )*account( )*utilization|\
Warning( )*about( )*your( )*e-mail( )*account)
#part one
* 200^0 Your( )*e-mail( )*account( )*will( )*be( )*disabled( )*because( )*of( )*improper( )*using( )*in( )*next
* 200^0 Our( )*antivirus( )*software( )*has( )*detected( )*a( )*large( )*ammount( )*of( )*viruses( )*outgoing
* 200^0 Our( )*main( )*mailing( )*server( )*will( )*be( )*temporary( )*unavaible( )*for( )*next( )*two( )*days
* 200^0 Your( )*e-mail( )*account( )*has( )*been( )*temporary( )*disabled( )*because( )*of( )*unauthorized( )*access
* 200^0 We( )*warn( )*you( )*about( )*some( )*attacks( )*on( )*your( )*e-mail( )*account
* 200^0 Some( )*of( )*our( )*clients( )*complained( )*about( )*the( )*spam( )*\(negative( )*e-mail( )*content\)
#part two
* 200^0 For( )*more( )*information( )*see( )*the( )*attached( )*file( )*
* 200^0 Further( )*details( )*can( )*be( )*obtained( )*from( )*attached( )*file
* 200^0 Advanced( )*details( )*can( )*be( )*found( )*in( )*attached( )*file
* 200^0 For( )*(further)?( )*details( )*see( )*the( )*attach
* 200^0 read( )*the( )*attach( )*for( )*further( )*details
* 200^0 Pay( )*attention( )*on( )*attached( )*file
#part three
* 200^0 For( )*security( )*reasons( )*attached( )*file( )*is( )*password( )*protected\.( )*The( )*password( )*is
* 200^0 For( )*security( )*purposes( )*the( )*attached( )*file( )*is( )*password( )*protected\.( )*Password( )*is
* 200^0 Attached( )*file( )*protected( )*with( )*the( )*password( )*for( )*security( )*reasons\.( )*Password( )*is
* 200^0 In( )*order( )*to( )*read( )*the( )*attach( )*you( )*have( )*to( )*use( )*the( )*following( )*password
#part four
* 500^0 ^UEsDBAoAAQAAA
{ VNBAGLE=yes }
:0
* VNBAGLE ?? yes
{
LOG="---=== WORM-BAGLE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bagle
}
#####################################
###### START-OF-UEsDBBQ-FAMILY ######
:0BD
* ^UEsDBBQ
{
#for Mimail
#Mimail.M
:0BD
* -800^0
* 200^0 Ja2AGLt
* 200^0 Sr75CbN
* 200^0 lGonaYF
* 200^0 \+E5NYlp
* 200^0 YrNN/mr
{
LOG="---=== WORM-MIMAIL $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Mimail
}
#for Bagle
#Bagle.N
:0BD
* -800^0
* 200^0 dr0YSC1
* 200^0 Vw4/Vzf
* 200^0 MYYwmMp
* 200^0 NyEexHO
* 200^0 oLBTKrY
{
LOG="---=== WORM-BAGLE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bagle
}
#for Dropper.Mimail.b (had it with Torvil.d)
:0BD
* -800^0
* 200^0 SRmUewf
* 200^0 QqGUjzm
* 200^0 b8aomjo
* 200^0 c/jEWtY
* 200^0 N3WlMVw
{
LOG="---=== WORM-TORVIL $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Torvil
}
}
###### END-OF-UEsDBBQ-FAMILY ######
#for Sobig-gen (Sobig-e is sent as a zip file with name your_details.zip)
:0HB
* name="your_details.zip"
{
:0BD
* -1000^0
* 200^0 ^UEsDBBQ
* 900^0 Z$?^?G$?^?V$?^?0$?^?Y$?^?W$?^?l$?^?s$?^?c$?^?y$?^?5$?^?w$?^?a$?^?W
{
LOG="---=== WORM-SOBIG $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Sobig
}
}
###### START-OF-UmFyIRo-FAMILY ######
# UmFyIRo is for rar files
:0BD
* ^UmFyIRo
{
#for Bagle
#Bagle.N
:0BD
* -800^0
* 200^0 wrvsf/9
* 200^0 bX9U8NX
* 200^0 1nbBPXZ
* 200^0 TKGaBPt
* 200^0 CTdUBai
{ VNBAGLE=yes }
#Bagle.zip
:0BD
* -800^0
* 200^0 rqDj1Gp
* 200^0 f6xnzQM
* 200^0 kplnkX4
* 200^0 u0CkpBq
* 200^0 Ut3yObR
{ VNBAGLE=yes }
:0
* VNBAGLE ?? yes
{
LOG="---=== WORM-BAGLE $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: VIRUS"
:0:
$VIRDIR/virus-Bagle
}
}
###### END-OF-UmFyIRo-FAMILY ######
}
###################################END-OF-SIGNATURE-BASED-2
# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.
###########################################################
# attachment doc,dot,xls,xla with MACRO code
# delivers e-mail normally but with a warning at subject
###########################################################
:0HB
* ^Content-Type[ ]*:.*(application|audio|multipart|mixed|alternative|partial)
* name[ ]*[*]?[ ]*=.*\.[ ]*(do[tc]|xl[sa]|rtf|\{[-0-9a-f]+\})(\.....?)?"?[ ]*$
* ^Content-Transfer-Encoding[ ]*:.*base64
{
:0BD
* -1000^0
#Office Documents header
* 500^0 ^0M8R4KGxGuEAAAAAAAAAAA............ADAP7/CQAG
* 400^0 A$?^?F$?^?Q$?^?A$?^?a$?^?A$?^?B$?^?p$?^?A$?^?H$?^?M$?^?A$?^?R$?^?A$?^?B$?^?v$?^?A$?^?G$?^?M$?^?A$?^?d$?^?Q$?^?B$?^?t$?^?A$?^?G$?^?U$?^?A$?^?b$?^?g$?^?B$?^?0
* 400^0 A$?^?V$?^?w$?^?B$?^?v$?^?A$?^?H$?^?I$?^?A$?^?a$?^?w$?^?B$?^?i$?^?A$?^?G$?^?8$?^?A$?^?b$?^?w$?^?B$?^?r$?^?A
* 400^0 A$?^?F$?^?c$?^?A$?^?b$?^?w$?^?B$?^?y$?^?A$?^?G$?^?s$?^?A$?^?Y$?^?g$?^?B$?^?v$?^?A$?^?G$?^?8$?^?A$?^?a$?^?w$?^?A
* 550^0 A$?^?X$?^?w$?^?B$?^?W$?^?A$?^?E$?^?I$?^?A$?^?Q$?^?Q$?^?B$?^?f$?^?A$?^?F$?^?A$?^?A$?^?U$?^?g$?^?B$?^?P$?^?A$?^?E$?^?o$?^?A$?^?R$?^?Q$?^?B$?^?D$?^?A$?^?F$?^?Q$?^?A
* 550^0 A$?^?F$?^?Y$?^?A$?^?Q$?^?g$?^?B$?^?B$?^?A$?^?F$?^?8$?^?A$?^?U$?^?A$?^?B$?^?S$?^?A$?^?E$?^?8$?^?A$?^?S$?^?g$?^?B$?^?F$?^?A$?^?E$?^?M$?^?A$?^?V$?^?A
* 550^0 A$?^?F$?^?8$?^?A$?^?V$?^?g$?^?B$?^?C$?^?A$?^?E$?^?E$?^?A$?^?X$?^?w$?^?B$?^?Q$?^?A$?^?F$?^?I$?^?A$?^?T$?^?w$?^?B$?^?K$?^?A$?^?E$?^?U$?^?A$?^?Q$?^?w$?^?B$?^?U$?^?A
{
LOG="---=== CONTAINS-ATTACHMENT-WITH-MACRO-CODE SCORE:$= $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: MACRO"
:0fhw
* YAVRWARNMAC ?? ON
| formail -i "Subject: WARNING-MACRO-$SUB"
}
}
##########################################END-OF-MACRO-SCAN
# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.
###########################################################
# execution of apps using xml objects
# external execution of apps with iframe
# delivers e-mail normally but with a warning at subject
###########################################################
:0HB
* ^Content-Type[ ]*:.*(html|htm|hta)
* ^Content-Transfer-Encoding[ ]*:.*(quoted-printable|7bit)
{
#for xml
:0B
* -1000^0
* 500^0 ()<object
* 300^0 codebase
* 300^0 data
* 300^0 (file:/)?.*[a-z]?:/
* 100^0 classid
* 100^0 clsid:[-0-9a-f]+
{
LOG="---=== CONTAINS-XML-CODEBASE-OBJECT SCORE:$= $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: XML-CODEBASE"
:0fhw
| formail -i "Subject: WARNING-XML-CODEBASE-OBJECT-$SUB"
}
#for iframe
:0B
* -1000^0
* 500^0 ()<iframe
* 600^0 iframe>
{
LOG="---=== CONTAINS-IFRAME $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: IFRAME"
:0fhw
| formail -i "Subject: WARNING-IFRAME-$SUB"
}
}
##############################END-OF-IFRAME-AND-XML-OBJECTS
###########################################################
# execution of apps with hidden CLSID extension
# delivers e-mail normally but with a warning at subject
###########################################################
:0HB
* ^Content-Type[ ]*:.*(text)
* name[ ]*.?[ ]*=.*\.[ ]*\{[-0-9a-f]+\}(\.....?)?"?[ ]*$
{
LOG="---=== CONTAINS-CLSID-EXT $DATE ===---${NL}"
:0fhw
| formail -A "X-YAVR: CLSID-EXTENSION"
:0fhw
| formail -i "Subject: WARNING-CLSID-EXTENSION-$SUB"
}
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed