# worm_found.cf version 1.006 (2005-11-28) # Collected and maintained by Martin Blapp (mb@imp.ch) # Latest version at http://mx.imp.ch/rules/worm_found.cf # Lists bogus worm warnings and sober.(i/k/l/m/n/o/p/q/r/s/t/u/x) bounces # # Attept to catch all those bad worm autoresponders (except RCVD_FROM_SWINOG_SOBER entries) # # 1.001 First available version, added new sober variants. # 1.002 Added New worm names, Mytop and Mytob # 1.003 There are no defect SOBERs around, try to catch only sober bounces. # 1.004 Catch up with Sober.X worms and bounces. # 1.005 Added more Sober.X topics # 1.006 Added one missing Sober.X topic # # full __WORMNAME_BODY /(?:[^_]Sober|Sober\.[NMNOPQRSTUVW]|Nimda|Netsky|SomeFool|Bagle|Mabutu|Mydoom|Klez|Nyxem|Bagz|Lovgate|Mimail|BugBear|Bofra|Bropia|Derdero|Kipis|Aimdes|Ahker|Gibe|Mytop|Mytob)\b/i header __WORMNAME_SUBJ Subject =~ /(?:[^_]Sober|Nimda|Netsky|SomeFool|Bagle|Mabutu|Mydoom|Klez|Nyxem|Bagz|Lovgate|Mimail|BugBear|Bofra|Bropia|Derdero|Kipis|Aimdes|Ahker|Gibe|Mytop|Mytob)\b/i body __W32_SIGNATURE_BODY /(?:W32|Win32)/i header __W32_SIGNATURE_SUBJ Subject =~ /(?:W32|Win32)/i body __WORM_FOUND_1 /(?:Worm|Virus) found/i body __WORM_FOUND_2 /This message contains malware/i body __WORM_FOUND_3 /(?:enthielt einen Virus|Informationen zur Infizierung)/i body __WORM_FOUND_4 /was found to be infected with VIRUS/i body __WORM_FOUND_5 /einen Virus in einem (?:Anhang gefunden|Ihrer Dokumente gefunden)/i body __WORM_FOUND_6 /Mail modified to remove malicious content/i body __WORM_FOUND_6 /original email was deleted because it contained the virus/i body __WORM_FOUND_7 /(?:filtered a message from you|has detected a virus in an e-mail from you)/i body __WORM_FOUND_8 /(?:Antigen for Exchange found|NAV for Microsoft Exchange)/i body __WORM_FOUND_9 /contains a virus or other harmful content/i header __WORM_FOUND_10 Subject =~ /Devuelto por contener virus/i body __WORM_FOUND_11 /infected with the.{1,30}(?:worm|virus)/i full __WORM_FOUND_12 /^VIRUS:/i full __WORM_FOUND_13 /Norman Virus Control hat die Original-E-Mail/i header __WORM_FOUND_14 Subject =~ /Virus gefunden in Nachricht/i body __WORM_FOUND_15 /BANNED CONTENTS ALERT/i full __WORM_FOUND_16 /Norton AntiVirus gelöscht/i full __WORM_FOUND_17 /ScanMail has detected a virus! Virus removed/i body __VIRUS_ADVISORY /(?:Newsletter|Viren[- ]?warnung|Virus[- ]?Advisory)/i meta WORM_FOUND_1 ((__WORMNAME_BODY || __WORMNAME_SUBJ) + (__WORM_FOUND_1 || __WORM_FOUND_2 || __WORM_FOUND_3 || __WORM_FOUND_4 || __WORM_FOUND_5 || __WORM_FOUND_6 || __WORM_FOUND_7 || __WORM_FOUND_8 || __WORM_FOUND_9 || __WORM_FOUND_10 || __WORM_FOUND_11 || __WORM_FOUND_12 || __WORM_FOUND_13 || __WORM_FOUND_14 || __WORM_FOUND_15 || __WORM_FOUND_16 || __WORM_FOUND_17 || SOBER_X_EMPTY_A ) - (__VIRUS_ADVISORY *2) == 2) meta WORM_FOUND_2 ((__WORMNAME_BODY || __WORMNAME_SUBJ) + (__W32_SIGNATURE_BODY || __W32_SIGNATURE_SUBJ ) + (__WORM_FOUND_1 || __WORM_FOUND_2 || __WORM_FOUND_3 || __WORM_FOUND_4 || __WORM_FOUND_5 || __WORM_FOUND_6 || __WORM_FOUND_7 || __WORM_FOUND_8 || __WORM_FOUND_9 || __WORM_FOUND_10 || __WORM_FOUND_11 || __WORM_FOUND_12 || __WORM_FOUND_13 || SOBER_X_EMPTY_A) - (__VIRUS_ADVISORY *2) == 3) describe WORM_FOUND_1 Unhelpful Virus found message score WORM_FOUND_1 10.300 describe WORM_FOUND_2 Unhelpful Virus found message score WORM_FOUND_2 20.300 meta WORM_FOUND_1a (WORM_FOUND_1 + USER_IN_DEF_WHITELIST == 2) describe WORM_FOUND_1a Unhelpful Virus found message score WORM_FOUND_1a 25.300 meta WORM_FOUND_2a (WORM_FOUND_2 + USER_IN_DEF_WHITELIST == 2) describe WORM_FOUND_2a Unhelpful Virus found message score WORM_FOUND_2a 35.300 body __WORM_NORMAN_1 /Es wurde ein Virus gefunden und entfernt/i body __WORM_NORMAN_2 /Ihr Mail wurde automatisch ueberprueft und zurueckgewiesen/i header __WORM_NORMAN_3 Subject =~ /Mail zurueckgewiesen/ meta WORM_NORMAN (__WORM_NORMAN_1 + (__WORM_NORMAN_2 || __WORM_NORMAN_3) == 2) describe WORM_NORMAN Unhelpful Virus found message score WORM_NORMAN 20.300 body __WORM_PROTECTAS_1 /A virus was detected in the message/i body __WORM_PROTECTAS_2 /The message was blocked/i meta WORM_PROTECTAS (__WORM_PROTECTAS_1 + __WORM_PROTECTAS_2 == 2) describe WORM_PROTECTAS Unhelpful Virus found message score WORM_PROTECTAS 20.300 body __WORM_YAHOO_1 /yahoo-inc\.com/ body __WORM_YAHOO_2 /Certain attachments are not allowed for security reasons/i meta WORM_YAHOO (__WORM_YAHOO_1 + __WORM_YAHOO_2 == 2) describe WORM_YAHOO Unhelpful Virus rejecting message score WORM_YAHOO 20.300 # # Sober.X is now going around # # #body __SOBER_X_EMPTY_1 /(?:This account_hast_been_disabled|E-Mail: PassAdmin|Bei uns wurde ein neues Benutzerkonto mit dem Namen|Bitte senden Sie zur Bestaetigung den ausgefuellten Anhang|Ihr Ebay-Team|das Herunterladen von Filmen, Software und MP3s|Wir moechten Ihnen hiermit vorab mitteilen|Aktenzeichen NR\.|Glueckwunsch: Bei unserer EMail Auslosung|Weitere Details ihrer Daten entnehmen Sie bitte dem Anhang|Your password was changed successfully|Passwort Ihr Geburts-Datum|Viel vergnügen mit unserem Angebot|Im I-Net unter:|Ihrer Nutzungs- Daten vornehmen|_does_not_like_recipient.|_does_not_like_sender.|The full mail is attached.|Diese E-Mail wurde automatisch generiert|Weitere Informationen befinden sich im Anhang|Ihr neues Passwort und weiter Informationen|E-Mail Adresse: security\@microsoft.com|Der Jugendschutz verbietet uns leider mehr Auskunft|Ihre Nutzungsdaten wurden erfolgreich geaendert|View Paris Hilton & Nicole Richie video clips|Account and Password Information are attached)/ # #header __SOBER_X_EMPTY_2a Subject =~ /(?:Ihr[ _]Passwort|Account[ _]Information|SMTP[ _]Mail[ _]gescheitert|Mailzustellung wurde unterbrochen|Ermittlungsverfahren[ _]wurde[ _]eingeleitet|Sie[ _]besitzen[ _]Raubkopien|RTL: Wer wird Millionaer|Sehr[ _]geehrter[ _]Ebay-Kunde|Your IP was logged|You visit illegal websites|smtp mail failed|Registration Confirmation|Paris Hilton & Nicole Richie|Your Password|hi,_ive_a_new_mail_address|Ermittlungsverfahren_wurde_eingeleitet|Sehr_geehrter_Ebay-Kunde|Registration Confirmation)/ # #body __SOBER_X_EMPTY_2b /Subject: (?:Ihr[ _]Passwort|Account[ _]Information|SMTP[ _]Mail[ _]gescheitert|Mailzustellung wurde unterbrochen|Ermittlungsverfahren[ _]wurde[ _]eingeleitet|Sie[ _]besitzen[ _]Raubkopien|RTL: Wer wird Millionaer|Sehr[ _]geehrter[ _]Ebay-Kunde|Your IP was logged|You visit illegal websites|smtp mail failed|Registration Confirmation|Paris Hilton & Nicole Richie|Your Password|hi,_ive_a_new_mail_address|Ermittlungsverfahren_wurde_eingeleitet|Sehr_geehrter_Ebay-Kunde|Registration Confirmation)/ # #full __SOBER_X_EMPTY_3 /(?:Content-Disposition: attachment; filename=".{3,20}"|Content-Transfer-Encoding: base64)\s[\s\t ]{2,5}--(?:Boundary|==|[0-9]{4})/i # #header __SOBER_X_EMPTY_4a From =~ /(?:(?:Host|Web|Post|host|web|post)master|Postman|Re-Mailer|re-mailer|Auto-Mail|Benutzer_(?:Daten|Info)|Service|Info|Hilfe|new_account|emr_list|info|auto-mail|user_info|information)\@/ # #body __SOBER_X_EMPTY_4b /From: (?:(?:Host|Web|Post|host|web|post)master|Postman|Re-Mailer|Auto-Mail|Benutzer_(?:Daten|Info)|Service|Info|Hilfe|new_account|emr_list|info|auto-mail|user_info|information)\@/ # # # Bounce detection partly from http://www.timj.co.uk/linux/bogus-virus-warnings.cf # header __ISBOUNCE_1 From =~ /(?:MAILER-DAEMON|postmaster)/i header __ISBOUNCE_2 Subject =~ /(?:failure delivery|delivery failure|Postmaster notify)/i header __BOUNCE_HEADER X-Is-A-Bounce =~ /.{1,50}/ header __BOUNCE_RP1 Return-Path =~ /^<>$/ header __BOUNCE_RP2 X-Return-Path =~ /^<>$/ header __BOUNCE_RP3 X-Envelope-From =~ /^<>$/ meta __NULL_SENDER __BOUNCE_HEADER || __BOUNCE_RP1 || __BOUNCE_RP2 || __BOUNCE_RP3 || __ISBOUNCE_1 || __ISBOUNCE_2 header __CT_DEL_STATUS Content-Type =~ /report-type=delivery-status/ # meta __REPORT_DSN (__NULL_SENDER || __CT_DEL_STATUS) # #meta SOBER_X_EMPTY_A ((__SOBER_X_EMPTY_1 || __SOBER_X_EMPTY_2a || __SOBER_X_EMPTY_3) + __SOBER_X_EMPTY_4a - MIME_MISSING_BOUNDARY - __VIRUS_ADVISORY == 2) #describe SOBER_X_EMPTY_A Possible Empty SOBER mail #score SOBER_X_EMPTY_A 3.300 # #meta SOBER_X_EMPTY_A1 (MIME_MISSING_BOUNDARY + __SOBER_X_EMPTY_2a - __VIRUS_ADVISORY == 2) #describe SOBER_X_EMPTY_A1 Possible Empty SOBER mail #score SOBER_X_EMPTY_A1 15.300 # #meta SOBER_X_EMPTY_B (__SOBER_X_EMPTY_1 + __SOBER_X_EMPTY_2a + (__SOBER_X_EMPTY_3 || __WORM_FOUND_14 || __WORM_FOUND_15 || __WORM_FOUND_16 || __WORM_FOUND_17) == 2) #describe SOBER_X_EMPTY_B Empty SOBER.X mail #score SOBER_X_EMPTY_B 8.300 # #meta SOBER_X_EMPTY_C (__SOBER_X_EMPTY_1 + __SOBER_X_EMPTY_2a + (__SOBER_X_EMPTY_3 || __WORM_FOUND_14 || __WORM_FOUND_15 || __WORM_FOUND_16 || __WORM_FOUND_17) + __SOBER_X_EMPTY_4a + RCVD_SOBER_HIT == 3) #describe SOBER_X_EMPTY_C Empty SOBER.X mail #score SOBER_X_EMPTY_C 20.300 # #meta SOBER_X_EMPTY_D (__SOBER_X_EMPTY_1 + __SOBER_X_EMPTY_2a + (__SOBER_X_EMPTY_3 || __WORM_FOUND_14 || __WORM_FOUND_15 || __WORM_FOUND_16 || __WORM_FOUND_17) + __SOBER_X_EMPTY_4a + RCVD_SOBER_HIT >= 4) #describe SOBER_X_EMPTY_D Empty SOBER.X mail #score SOBER_X_EMPTY_D 30.300 # #meta __SOBER_X_EMPTY_E (__SOBER_X_EMPTY_1 + __SOBER_X_EMPTY_2b + __REPORT_DSN == 3) #meta SOBER_X_EMPTY_E (__SOBER_X_EMPTY_4b + __SOBER_X_EMPTY_E + __SOBER_X_EMPTY_E == 2) #describe SOBER_X_EMPTY_E Empty SOBER.X bounce #score SOBER_X_EMPTY_E 10.300 # #meta SOBER_X_EMPTY_E1 (__SOBER_X_EMPTY_E + USER_IN_DEF_WHITELIST == 2) #describe SOBER_X_EMPTY_E1 Empty SOBER.X bounce #score SOBER_X_EMPTY_E1 25.300 # #meta SOBER_X_EMPTY_F (__SOBER_X_EMPTY_4b + __SOBER_X_EMPTY_E == 2) #describe SOBER_X_EMPTY_F Empty SOBER.X bounce #score SOBER_X_EMPTY_F 20.300 # #meta SOBER_X_EMPTY_F1 (SOBER_X_EMPTY_F + USER_IN_DEF_WHITELIST == 2) #describe SOBER_X_EMPTY_F1 Empty SOBER.X bounce #score SOBER_X_EMPTY_F1 40.300 # #meta SOBER_X_EMPTY_G (WORM_FOUND_1 + SOBER_X_EMPTY_A == 2) #describe SOBER_X_EMPTY_G SOBER.X bounce #score SOBER_X_EMPTY_G 20.300