#####################################################################################
############ YAVR (Yet Another antiVirus Recipe) v1.9.5
## URL: http://agriroot.aua.gr/~nikant/nkvir/
##
## Copyright (C)2003-2004 Nikos K. Kantarakias - nikant_at_freemail_dot_gr, http://www.nikant.tk
## This program and all its previous versions, are free software;
## you can redistribute it and/or modify it under the terms
## of the GNU General Public License as published by the Free Software Foundation;
## either version 2 of the License, or (at your option) any later version.
##
## This program is distributed in the hope that it will be useful,
## but WITHOUT ANY WARRANTY; without even the implied warranty of
## MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
## GNU General Public License for more details.
## 
## You may get a copy of GPLv2 at http://www.gnu.org/licenses/gpl.txt
##
############ YAVR info and usage 
## URL: http://agriroot.aua.gr/~nikant/nkvir/
##      http://www.freshmeat.net/yavr/
##
# - use it in your .procmailrc file using INCLUDERC=
#
# - needs a directory /virus/ inside your Mail/ dir
#
# - features 
#  - trap e-worms with base64 signatures (most known like Klez, Hybris, BugBear...)
#  - iframe html exploit
#  - CLSID hidden extensions exploit
#  - xml codebase exploit
#  - generic executable trap for bat, pif, vbs, vba, scr, lnk, com, exe
#  - generic macro detection for doc,dot,xls,xla files
#  - generic detection for most of nigeria scam e-mails (most of them)
#    (please remember to configure nigeria scam filter. default is ON)
#  - generic detection for porn spam e-mails (some of them)
#    (please remember to configure nigeria scam filter. default is OFF)
#
# - WARNINGS you receive
#    for some of the above (plain iframe, clsid, xml, macro) e-mail is delivered
#    normally but gets a WARNING in subject plus its old subject. Warnings are:
#    - WARNING-XML-CODEBASE-OBJECT-$SUB
#    - WARNING-CLSID-EXTENSION-$SUB
#    - WARNING-IFRAME-$SUB
#    - WARNING-MACRO-$SUB
#    - WARNING-NSCAM-SCORE:$NKNGS-$SUB
#    - WARNING-PORN-SCORE:$NKPRNS-$SUB
#    - WARNING-MS-EXEC-$SUB
#
# - X- marks in headers
#      X-YAVR: MS-EXEC  (any MS executable that wasn't identified by signatures)
#      X-YAVR: NIGERIA  (nigeria scam)
#      X-YAVR: PORN     (porn related)
#      X-YAVR: MACRO    (containing macro code)
#      X-YAVR: XML-CODEBASE
#      X-YAVR: IFRAME
#      X-YAVR: CLSID-EXTENSION
#      X-YAVR: SENDMAIL-EXPLOIT
#
#
# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.
#
# - all LOG info goes to your procmailrc log so ACTIVATE IT.
#
# - virus names are different from AV to AV. I use the names given
#   from http://www.viruslist.com/
#
# - it would really help if you zip and send me worms that drop in the 
#   virus-could-be file at nikant_at_freemail_dot_gr
#
#
# -VIRLIST: EICAR-AV-TEST(test NOT virus), Iframe exploit, SirCam, Nimda, Klez,
# Hybris, BadTransII, Tanatos(BugBear), MTX, Elkern, Blebla, Navidad, MyParty,
# Magistr, Lentin(Yaha), Frethem, Gibe, Mawanella, Generic, Funnypics, Happy,
# Opasoft(a,d), Scrambler, PrettyPark, SysClock, Sobig(a,b,c,f,gen), Trood, 
# Aliz, CodeGreen.a, IISWorm, GOPWorm, LastWord, Heyya, Sharpei, Avron(Lirva-b,c,e),
# TrojanDownloader.Win32.Ultraset, Ganda, LovGate(f,i), NetThief, Mimail,
# Apost, Blaster(Lovesan), P2P.VB.ai, Dumaru, PWS-LegMir, Swen, Maldal(c,k),
# Roron(51), Icecubes, Energy, Brit (-,b,c,d,h), Sober, Darby(b), Hawawi, LegendMir,
# Torvil.d,  Dropper.Mimail.b, Backdoor.PowerSpider.a, Bagle, Novarg(MyDoom), Moodown
#
#####################################################################################

#nigeria scam filtering: ON or OFF. default is ON
#variable NIGSCAM may also be set at your main procmailrc before including YAVR
:0
* $ ${NIGSCAM:+!}
{ NIGSCAM=ON }


#porn spam filtering: ON or OFF. default is OFF
#variable PORNSPAM may also be set at your main procmailrc before including YAVR
:0
* $ ${PORNSPAM:+!}
{ PORNSPAM=OFF }


#Microsoft EXEcutable quarantine : ON or OFF. default is ON
#variable YAVRQUARANTEXE may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRQUARANTEXE:+!}
{ YAVRQUARANTEXE=ON }

#Nigeria scam quarantine : ON or OFF. default is ON
#variable YAVRQUARANTNIG may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRQUARANTNIG:+!}
{ YAVRQUARANTNIG=ON }

#Porn related quarantine : ON or OFF. default is ON
#variable YAVRQUARANTPRN may also be set at your main procmailrc before including YAVR
:0
* $ ${YAVRQUARANTPRN:+!}
{ YAVRQUARANTPRN=ON }



LINEBUF=32768


#where you want viruses to go..
#variable VIRDIR may also be set at your main procmailrc before including YAVR
#default is $MAILDIR/virus/ where $MAILDIR is a variable from your main procmailrc
#ATTENTION: /virus/ is a directory NOT a file
:0
* $ ${VIRDIR:+!}
{ VIRDIR=$MAILDIR/virus }


#nigeria destination folder
#variable NIGDIR may also be set at your main procmailrc before including YAVR
#default is $VIRDIR/nigeria-scam where $VIRDIR is set right above 
:0
* $ ${NIGDIR:+!}
{ NIGDIR=$VIRDIR/nigeria-scam }


#porn destination folder
#variable PORNDIR may also be set at your main procmailrc before including YAVR
#default is $VIRDIR/porn-spam where $VIRDIR is set right above 
:0
* $ ${PORNDIR:+!}
{ PORNDIR=$VIRDIR/porn-spam }


#DO NOT EDIT BELOW THIS LINE UNLESS YOU KNOW WHAT YOU'RE DOING.. ;)


#vars for log
SUB=`formail -zxSubject:`
DATE=`date +"%d/%m/%Y %T"`
NL="
"


###########################################################
# for e-worms signature-based
###########################################################
:0HB
* ^Content-Type[	 ]*:.*(application|audio|multipart|mixed|alternative|partial)
* name[	 ]*[*]?[	 ]*=.*\.[	 ]*(bat|pif|cmd|vb[as]|scr|lnk|com|exe|chm|\{[-0-9a-f]+\})(\.....?)?"?[	 ]*$
* ^Content-Transfer-Encoding[	 ]*:.*(base64|quoted-printable|7bit)
{

# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.

###### START-OF-TVqQAAM-FAMILY ######
:0BD
* ^TVqQAAM
{
#for Sobig
:0BD
*  -800^0
*   200^0 K/cBHSx
*   200^0 rZVJizb
*   200^0 DrVitFc
*   200^0 rolkJrX
*   200^0 zt8P9pT
{ VNSOBIG=yes }
#Sobig-b
:0BD
*  -800^0
*   200^0 gHB/e2v
*   200^0 j1qLR/m
*   200^0 dAgyJY8
*   200^0 0SOIV7x
*   200^0 Gw47Qgh
{ VNSOBIG=yes }
#Sobig-c (by Fredrik Rodland)
:0BD
*  -800^0
*   200^0 BSj0hvF
*   200^0 HN8EMuX
*   200^0 LvRtJdz
*   200^0 MdFFlfN
*   200^0 oikgcxQ
{ VNSOBIG=yes }
#Sobig-gen
:0BD
*  -800^0
*   200^0 /HrcLhs
*   200^0 qfZjXLv
*   200^0 msFydo9
*   200^0 iJGZx/6
*   200^0 Gg7aCZs
{ VNSOBIG=yes }
#Sobig-gen (UPX packed and scrambled)
:0BD
*  -800^0
*   200^0 v0ibwKA
*   200^0 CDH2kTw
*   200^0 YBdt6zE
*   200^0 nblNbDU
*   200^0 jWqE0Z6
{ VNSOBIG=yes }
#Sobig-f
:0BD
*  -800^0
*   200^0 IOsT73k
*   200^0 eGYh2Eo
*   200^0 cb07glg
*   200^0 G\+Q1KAS
*   200^0 WaUYonD
{ VNSOBIG=yes }
:0
* VNSOBIG ?? yes
  {
  LOG="---=== WORM-SOBIG $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Sobig
  }
  

#Swen
:0BD
*  -800^0
*   200^0 wHQJagF
*   200^0 ReRQaJA
*   200^0 QQBQ6Ae
*   200^0 AAAAg\+w
*   200^0 AVjDi2X
{ VNSWEN=yes }
# Swen-upx (someone released Swen compressed... lamers..) 
:0BD
*  -800^0
*   200^0 w57t927
*   200^0 CZ/aINt
*   200^0 BxkwgiQ
*   200^0 CjghxrM
*   200^0 DGvIKyM
{ VNSWEN=yes }
:0
* VNSWEN ?? yes
  {
  LOG="---=== WORM-SWEN $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Swen
  }

    
#for Sober
:0BD
*  -800^0
*   200^0 xCzjUCs
*   200^0 ByF8Jl9
*   200^0 XwPS1ST
*   200^0 BxY0PPB
*   200^0 cjsG0Tu
{ VNSOBER=yes }
#Sober-c
:0BD
*  -800^0
*   200^0 zwYOwBJ
*   200^0 LAdpnBi
*   200^0 r7vRhBu
*   200^0 afB7of4
*   200^0 xwUmMCo
{ VNSOBER=yes }
:0
* VNSOBER ?? yes
  {
  LOG="---=== WORM-SOBER $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Sober
  }

    
#for Mimail
:0BD
#Mimail.A (UPX encoded)
*  -800^0
*   200^0 sFdQJB4
*   200^0 tfA9Im5
*   200^0 ndpTyZQ
*   200^0 XCQoUyM
*   200^0 2xRcdLC
{ VNMIMAIL=yes }
#Mimail.F (UPX encoded)
:0BD
*  -800^0
*   200^0 sFdQJB4
*   200^0 tfA9Im5
*   200^0 ZbYLFDb
*   200^0 MbSsous
*   200^0 Gtz4JpF
{ VNMIMAIL=yes }
#Mimail.G (UPX encoded)
:0BD
*  -800^0
*   200^0 sFdQJB4
*   200^0 MP\+18D0
*   200^0 TMm2tgQ
*   200^0 pTG0rAs
*   200^0 Izsa3PE
{ VNMIMAIL=yes }
#Mimail.C (UPX encoded)
:0BD
*  -800^0
*   200^0 sFdQJB4
*   200^0 tfA9Iu0
*   200^0 tpH2VDI
*   200^0 tKzRdYM
*   200^0 fj5oaYA
{ VNMIMAIL=yes }
#Mimail.I (UPX encoded)
:0BD
*  -800^0
*   200^0 sFdQJB4
*   200^0 BB6FT2A
*   200^0 WJ1nMg4
*   200^0 jOY/web
*   200^0 biHb608
{ VNMIMAIL=yes }
#Mimail.J (UPX encoded)
:0BD
*  -800^0
*   200^0 sFdQJB4
*   200^0 TwsM4dv
*   200^0 7FidMF2
*   200^0 5j/B5sx
*   200^0 LEjXst5
{ VNMIMAIL=yes }
#Mimail.E (UPX encoded)
:0BD
*  -800^0
*   200^0 sFdQJB4
*   200^0 ZQ//tfA
*   200^0 ZSqZkm2
*   200^0 MbTd4EV
*   200^0 sqPB/VH
{ VNMIMAIL=yes }
#Mimail.M (UPX encoded)
:0BD
*  -800^0
*   200^0 sFdQJB4
*   200^0 sG569A4
*   200^0 W9kvxgQ
*   200^0 0MQ1Zru
*   200^0 7WzLXiK
{ VNMIMAIL=yes }
#Mimail.A,G,C,E (decompressed)
:0BD
*  -800^0
*   200^0 BInHV/9
*   200^0 AIPHLok
*   200^0 dfyLdfj
*   200^0 AACDxAx
*   200^0 (NQ|Jw|Ow|KA)AA/3X
{ VNMIMAIL=yes }
#Mimail.I (decompressed)
:0BD
*  -800^0
*   200^0 BInHV/9
*   200^0 /0Xoi30
*   200^0 WUAAOX3
*   200^0 xARqAFC
*   200^0 PTRZQAA
{ VNMIMAIL=yes }
#Mimail.J (decompressed)
:0BD
*  -800^0
*   200^0 BInHV/9
*   200^0 mQEAAP9
*   200^0 /Is9NFl
*   200^0 KAAAg8Q
*   200^0 /0X8iz0
{ VNMIMAIL=yes }
#Mimail.M (decompressed)
:0BD
*  -800^0
*   200^0 BInHV/9
*   200^0 BI292Pf
*   200^0 LAAAice
*   200^0 g8QQ/3X
*   200^0 /In\+g8Y
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
*  -800^0
*   200^0 D\+Rhdqr
*   200^0 Sdh05LZ
*   200^0 b8s2s\+C
*   200^0 dOS2t8k
*   200^0 quTktjp
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
*  -800^0
*   200^0 vR\+VkBg
*   200^0 r2qPEFD
*   200^0 my2ESBR
*   200^0 jxBQBTL
*   200^0 GB8QUIi
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
*  -800^0
*   200^0 DE8GMql
*   200^0 Ddvfg/J
*   200^0 CI81GIf
*   200^0 34PytGJ
*   200^0 qU\+D8jn
{ VNMIMAIL=yes }
#Mimail.Q
:0BD
*  -800^0
*   200^0 r89dHFB
*   200^0 ly0hmhh
*   200^0 XRxQoOD
*   200^0 vc0cUC1
*   200^0 VSxZgdD
{ VNMIMAIL=yes }
:0
* VNMIMAIL ?? yes
  {
  LOG="---=== WORM-MIMAIL $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Mimail
  }  

  
#for Blaster (Lovesan)
:0BD
*  -800^0
*   200^0 ClAkHg0
*   200^0 xvggHV9
*   200^0 UUT8AZj
*   200^0 rboHqPQ
*   200^0 fgAlaS4
{ VNBLASTER=yes }
#for Blaster (Lovesan) decompressed
:0BD
*  -800^0
*   200^0 VhAAAD2
*   200^0 jYXo/f/
*   200^0 DMeF7Or
*   200^0 NSQxQAD
*   200^0 /A\+3hX7
{ VNBLASTER=yes }
:0
* VNBLASTER ?? yes
  {
  LOG="---=== WORM-BLASTER $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Blaster
  }


#for Nimda
:0BD
*  -800^0
*   200^0 //8r8Go
*   200^0 te79///
*   200^0 /wAAAP9
*   200^0 /1BqAGo
*   200^0 N[o4]v4O/s
  {
  LOG="---=== WORM-NIMDA $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Nimda
  }


#for Klez
:0BD
* 0EPA6gQ
{
#Klez-a
:0BD
*  -600^0
*   200^0 fnwDQOv
*   200^0 AFlZ6xZ
*   200^0 oAEAAGo
*   200^0 zyvIUVB
{ VNKLEZ=yes }
#Klez-b
:0BD
*  -600^0
*   200^0 /A\+DJwE
*   200^0 UOjZLgA
*   200^0 6DUBAAC
*   200^0 CAPfO9h
{ VNKLEZ=yes }
#Klez-c
:0BD
*  -600^0
*   200^0 GGaD\+SB
*   200^0 g8QQOV0
*   200^0 JAAA/0X
*   200^0 AAIAAID
{ VNKLEZ=yes }
#Klez-d
:0BD
*  -600^0
*   200^0 /A\+DJwE
*   200^0 CI2F2P7
*   200^0 /P7//2i
*   200^0 AFPoSjE
{ VNKLEZ=yes }
#Klez-e
:0BD
*  -600^0
*   200^0 UmAAADP
*   200^0 EFm4AAA
*   200^0 6MorAAC
*   200^0 QQD/dRB
{ VNKLEZ=yes }
#Klez-f
:0BD
*  -600^0
*   200^0 omAAADP
*   200^0 EFm4AAA
*   200^0 6O4rAAC
*   200^0 QQD/dRB
{ VNKLEZ=yes }
#Klez-g
:0BD
*  -600^0
*   200^0 omAAADP
*   200^0 EFm4AAA
*   200^0 6O4rAAC
*   200^0 QQD/dRB
{ VNKLEZ=yes }
#Klez-h
:0BD
*  -600^0
*   200^0 MmQAADP
*   200^0 EFm4AAA
*   200^0 0moYWff
*   200^0 U1ZXD4S
{ VNKLEZ=yes }
#Klez-i
:0BD
*  -600^0
*   200^0 ImQAADP
*   200^0 EFm4AAA
*   200^0 0moYWff
*   200^0 U1ZXD4S
{ VNKLEZ=yes }
#Klez-j
:0BD
*  -600^0
*   200^0 omAAADP
*   200^0 EFm4AAA
*   200^0 6O4rAAC
*   200^0 QQD/dRB
{ VNKLEZ=yes }
:0
* VNKLEZ ?? yes
  {
  LOG="---=== WORM-KLEZ $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Klez
  }
}
  

#Novarg
:0BD
#Novarg unpacked
*  -800^0
*   200^0 gAsAAIA
*   200^0 Qbya4z/
*   200^0 WKyxNTc
*   200^0 xz9PyLY
*   200^0 2Zjo9Vd
{ VNNOVARG=yes }
#Novarg upx
:0BD
*  -800^0
*   200^0 0KJ3Tyo
*   200^0 3/ZH\+Ur
*   200^0 D/////8
*   200^0 Tlze1i2
*   200^0 88KUaUE
{ VNNOVARG=yes }
#Novarg Petite packed
:0BD
*  -800^0
*   200^0 dFByb2N
*   200^0 d/dIwAB
*   200^0 tvofY9M
*   200^0 EZJt9N4
*   200^0 cH\+xjgD
{ VNNOVARG=yes }
#Novarg unpacked
:0BD
*  -800^0
*   200^0 wgZpXVd
*   200^0 Z3JrZwA
*   200^0 IGdya2c
*   200^0 WTPbWYk
*   200^0 cBBKADi
{ VNNOVARG=yes }
#generic signature just to be sure
:0BD
*  -800^0
*   900^0 /$?^?/$?^?/$?^?/$?^?/$?^?/$?^?d$?^?a$?^?w$?^?C$?^?m$?^?V$?^?B$?^?H$?^?b$?^?r$?^?Y$?^?9$?^?5$?^?c$?^?3$?^?W$?^?H$?^?o$?^?c$?^?v$?^?\+$?^?P$?^?I$?^?r$?^?h$?^?R$?^?7$?^?Y$?^?w$?^?u$?^?0$?^?3$?^?s$?^?m$?^?1$?^?A$?^?0$?^?5$?^?8$?^?K$?^?p$?^?n
*   900^0 /$?^?/$?^?/$?^?/$?^?/$?^?/$?^?3$?^?W$?^?s$?^?A$?^?p$?^?l$?^?Q$?^?R$?^?2$?^?6$?^?2$?^?P$?^?e$?^?X$?^?N$?^?1$?^?h$?^?6$?^?H$?^?L$?^?/$?^?j$?^?y$?^?K$?^?4$?^?U$?^?e$?^?2$?^?M$?^?L$?^?t$?^?N$?^?7$?^?J$?^?t$?^?Q$?^?N$?^?O$?^?f$?^?C$?^?q$?^?Z
*   900^0 /$?^?/$?^?/$?^?/$?^?/$?^?J$?^?\+$?^?q$?^?w$?^?e$?^?U$?^?U$?^?U$?^?5$?^?r$?^?u$?^?T$?^?b$?^?k$?^?w$?^?t$?^?E$?^?f$?^?j$?^?i$?^?z$?^?7$?^?\+$?^?y$?^?q$?^?K$?^?G$?^?d$?^?n$?^?J$?^?6$?^?j$?^?q$?^?7$?^?b$?^?E$?^?1$?^?e$?^?k$?^?A$?^?G$?^?j$?^?f
*   900^0 /$?^?/$?^?/$?^?/$?^?E$?^?8$?^?B$?^?J$?^?d$?^?f$?^?a$?^?D$?^?8$?^?P$?^?8$?^?7$?^?R$?^?C$?^?Q$?^?E$?^?g$?^?9$?^?U$?^?B$?^?O$?^?0$?^?Q$?^?k$?^?C$?^?I$?^?P$?^?V$?^?A$?^?I$?^?k$?^?E$?^?J$?^?O$?^?h$?^?X
{ VNNOVARG=yes }
:0
* VNNOVARG ?? yes
  {
  LOG="---=== WORM-NOVARG $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Novarg
  }

      
#Moodown
:0BD
*  -800^0
*   200^0 2yFbKVg
*   200^0 YBsnA\+3
*   200^0 VFiceqX
*   200^0 eshgrpI
*   200^0 XR7syGE
{ VNMOODOWN=yes }
#Moodown uncompressed
:0BD
*  -800^0
*   200^0 7IHsDAI
*   200^0 g/4IV/f
*   200^0 cghmgX3
*   200^0 XlvJw4N
*   200^0 AFZXx0X
{ VNMOODOWN=yes }
:0
* VNMOODOWN ?? yes
  {
  LOG="---=== WORM-MOODOWN $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Moodown
  }


#for Avron aka Lirva
:0BD
#Avron-b
*  -800^0
*   200^0 IHBhY2t
*   200^0 Yiudflj
*   200^0 UEKOkBE
*   200^0 BQolLDs
*   200^0 OIxrCMs
{ VNLIRVA=yes }
#Avron-c
:0BD
*  -800^0
*   200^0 IHBhY2t
*   200^0 Yiudflj
*   200^0 LHR6U3d
*   200^0 726CDaY
*   200^0 bGoqNFm
{ VNLIRVA=yes }
#Avron-e
:0BD
*  -800^0
*   200^0 zMzMzMz
*   200^0 fbi5EgA
*   200^0 RcZFxUb
*   200^0 /wAAAMH
*   200^0 /1D/FTA
{ VNLIRVA=yes }
:0
* VNLIRVA ?? yes
  {
  LOG="---=== WORM-LIRVA $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Lirva
  }  
  
  
#for Lentin aka Yaha
#Lentin.G (Yaha.E)
:0BD
*  -800^0
*   200^0 Li4uLi4
*   200^0 NWAdUqk
*   200^0 7EnICe9
*   200^0 0DyYxQl
*   200^0 6agF0Ok
{ VNYAHA=yes }
#Lentin.I (Yaha.K)
:0BD
*  -800^0
*   200^0 N\+SwUge
*   200^0 hFCMT8t
*   200^0 Duk7Aoh
*   200^0 fC24DGH
*   200^0 VExyKUw
{ VNYAHA=yes }
:0
* VNYAHA ?? yes
  {
  LOG="---=== WORM-YAHA-LENTIN $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Yaha
  }


#for Hybris aka SnowWhite virus - Hybris is polymorphic so hard to catch...
#Hybris-b
:0BD
*  -800^0
*   200^0 AIv0gcT
*   200^0 JOgCAAC
*   200^0 mVfiyoh
*   200^0 ////cvL
*   200^0 YIlaZIl
{ VNHYBRIS=yes }
#Hybris-c
:0BD
*  -800^0
*   200^0 0QuxYhX
*   200^0 pyFClXl
*   200^0 bE4jym1
*   200^0 37pPyjL
*   200^0 0GnOIjn
{ VNHYBRIS=yes }
#Hybris-d
:0BD
*  -800^0
*   200^0 ka60PZ2
*   200^0 jTq/9Vv
*   200^0 bdVMcR\+
*   200^0 Y1PunKd
*   200^0 be2y\+V2
{ VNHYBRIS=yes }
#Hybris-gen
:0BD
*  -800^0
*   200^0 VCWIw2A
*   200^0 E/42yeG
*   200^0 QFsQ6PI
*   200^0 2iZ0YB5
*   200^0 MGSGfyE
{ VNHYBRIS=yes }
#even more Hybris
:0BD
*  -800^0
*   200^0 Ui\+XpV4
*   200^0 9ftA2MO
*   200^0 Tz0O8gH
*   200^0 5DVWXih
*   200^0 Lm6VYR8
{ VNHYBRIS=yes }
:0
* VNHYBRIS ?? yes
  {
  LOG="---=== WORM-HYBRIS $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Hybris
  }


#for BadTransII
:0BD
*  -800^0
*   200^0 bXcD6Ga
*   200^0 Yz1rtU0
*   200^0 VHRSPOb
*   200^0 \+aZQuxC
*   200^0 O/h0c4s
  {
  LOG="---=== WORM-BADTRANSII $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-BadTransII
  }


#for Hawawi.g
:0BD
*  -800^0
*   200^0 L3YAYnf
*   200^0 Zkgu/Al
*   200^0 dY/34nx
*   200^0 xEzSu/9
*   200^0 7bgBAAA
{ VNHAWAWI=yes }
#for Hawawi.g (decompressed)
:0BD
*  -800^0
*   200^0 AP8lIBB
*   200^0 AAA0JkA
*   200^0 oaxTQAA
*   200^0 \+/o1MP/
*   200^0 AGM0/13
{ VNHAWAWI=yes }
:0
* VNHAWAWI ?? yes
  {
  LOG="---=== WORM-HAWAWI $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Hawawi
  }
  
    
#for P2P.Darby
:0BD
*  -800^0
*   200^0 F6Zp5jn
*   200^0 kGDH9mH
*   200^0 MsgrHhH
*   200^0 jOsqjbJ
*   200^0 rrMljqb
  {
  LOG="---=== WORM-DARBY $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Darby
  }

  
#for I-Worm.Bagle
:0BD
*  -800^0
*   200^0 xPxWV1O
*   200^0 i0AMC8B
*   200^0 6DAVAAD
*   200^0 /1IMi3X
*   200^0 8OhlDwA
{ VNBAGLE=yes }
#Bagle.B 
:0BD
*  -800^0
*   200^0 jz1dAvg
*   200^0 BQ6Bxjt
*   200^0 3t8FA9x
*   200^0 HruKHZv
*   200^0 GdW87l4
{ VNBAGLE=yes }
:0
* VNBAGLE ?? yes
  {
  LOG="---=== WORM-BAGLE $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Bagle
  }    
  
    
#for Backdoor.PowerSpider.a
:0BD
*  -800^0
*   200^0 CAF0B1b
*   200^0 GrUAAAF
*   200^0 uDTMQAD
*   200^0 ochWQgC
*   200^0 aGD1QAB
  {
  LOG="---=== WORM-POWERSPIDER $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Powerspider
  }    
  
  
#for Tanatos aka BugBear
#Bugbear-a
:0BD
*  -800^0
*   200^0 7e/5O/C
*   200^0 UDcmGDo
*   200^0 MogGcs9
*   200^0 hXIFBoO
*   200^0 rw5Qdfi
#Bugbear-b-generic by NiKant - I think its a killer but lets see..
*   900^0 C$?^?C$?^?n$?^?Y$?^?h$?^?q$?^?0$?^?w$?^?f$?^?H$?^?k$?^?M$?^?3$?^?x$?^?\+$?^?0$?^?H$?^?A$?^?B$?^?U$?^?R$?^?A$?^?Q$?^?A$?^?A$?^?k$?^?A$?^?I$?^?A$?^?J$?^?g$?^?s$?^?A$?^?J$?^?L
  {
  LOG="---=== WORM-BUGBEAR-TANATOS $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Bugbear
  }

  
#for Elkern
#Elkern-a
:0BD
*  -800^0
*   200^0 0EPA6gQ
*   200^0 fnwDQOv
*   200^0 AFlZ6xZ
*   200^0 oAEAAGo
*   200^0 zyvIUVB
{ VNELKERN=yes }
#Elkern-c
:0BD
*  -800^0
*   200^0 AIPEDOm
*   200^0 FUAAAxV
*   200^0 lKBAAOg
*   200^0 DKGsoEA
*   200^0 zMzMzMz
{ VNELKERN=yes }
:0
* VNELKERN ?? yes
  {
  LOG="---=== WORM-ELKERN $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Elkern
  }


#for Navidad
#Navidad-a
:0BD
*  -800^0
*   200^0 FVBQQAC
*   200^0 lCQUAgA
*   200^0 1mgAfwA
*   200^0 Z1D/FfR
*   200^0 WVloIGB
{ VNNAVIDAD=yes }
#Navidad-b
:0BD
*  -800^0
*   200^0 VC1EClJ
*   200^0 OYCFHqg
*   200^0 Cz96o\+Y
*   200^0 LwcbYK8
*   200^0 hWVy/cc
{ VNNAVIDAD=yes }
:0
* VNNAVIDAD ?? yes
  {
  LOG="---=== WORM-NAVIDAD $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Navidad
  }


#for MyParty
:0BD
*  -800^0
*   200^0 dD5WEnb
*   200^0 JTkZBdH
*   200^0 1xUMi00
*   200^0 FyKQAFF
*   200^0 f31f\+15
  {
  LOG="---=== WORM-MYPARTY $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-MyParty
  }


#for Magistr (tough, has 2 polymorphic engines)
:0BD
*  -800^0
*   200^0 \+SPFQMP
*   200^0 w2oAagD
*   200^0 oFRAAIk
*   200^0 dftAOBh
*   200^0 g3yPBAB
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 zMzMzMz
*   200^0 wYv3i/q
*   200^0 V/8V1AF
*   200^0 fCQQhNJ
*   200^0 AIll9Il
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 jUwkDFF
*   200^0 xBSFwHU
*   200^0 i/eL\+8H
*   200^0 HAEAAIs
*   200^0 SAOLxak
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 KkAAagB
*   200^0 7BgCAAB
*   200^0 jYXw/v/
*   200^0 aWxlQQD
*   200^0 cgBvAGQ
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 bGljYXR
*   200^0 bAAAVmh
*   200^0 IGAAAeh
*   200^0 AYTAdeO
*   200^0 9P7//4X
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 AFZHAAC
*   200^0 YXAgZXJ
*   200^0 dDWAPaF
*   200^0 AenPAAA
*   200^0 AFboSvj
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 AQD2OwE
*   200^0 bmkAV0F
*   200^0 bnQAAG5
*   200^0 RkQtMDB
*   200^0 ezA1NTg
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 QUdFTlQ
*   200^0 YQBnAGU
*   200^0 4kJu1TA
*   200^0 ahS\+wyE
*   200^0 LhRs\+nP
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 /vOragN
*   200^0 \+YvBi/e
*   200^0 AABQV/8
*   200^0 6I4sAAC
*   200^0 JJAMAAA
{ VNMAGISTR=yes }
#
:0BD
*  -800^0
*   200^0 XlnDi0Q
*   200^0 RAoBjVQ
*   200^0 AAAAiQ/
*   200^0 QAiJFSR
*   200^0 AGgYIEA
{ VNMAGISTR=yes }
:0
* VNMAGISTR ?? yes
  {
  LOG="---=== WORM-MAGISTR $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Magistr
  }


#for LovGate
#LovGate-f
:0BD
*  -800^0
*   200^0 AiYi3pn
*   200^0 tNQCwCg
*   200^0 Dxsjt0c
*   200^0 WA9\+zD1
*   200^0 AUieTgG
{ VNLOVGATE=yes }
#LovGate-i
:0BD
*  -800^0
*   200^0 2gvcCpS
*   200^0 FzcK1a\+
*   200^0 5ymsPtx
*   200^0 nwPq/e\+
*   200^0 QYJeZUo
{ VNLOVGATE=yes }
:0
* VNLOVGATE ?? yes
  {
  LOG="---=== WORM-LOVGATE $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-LovGate
  }  
  

#for Frethem
:0BD
*  -800^0
*   200^0 OxLRTfB
*   200^0 aHZdo72
*   200^0 KPwdNsG
*   200^0 /OzCsbg
*   200^0 zRhz7Px
  {
  LOG="---=== WORM-FRETHEM $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Frethem
  }

  
#for LegendMir
:0BD
*  -800^0
*   200^0 dQyhOHf
*   200^0 \+bxQKHY
*   200^0 QC/YCLK
*   200^0 A8fdl97
*   200^0 4ZdMDyJ
  {
  LOG="---=== WORM-LEGENDMIR $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-LegendMir
  }
    

#for Gibe
:0BD
*  -800^0
*   200^0 EEAA/yV
*   200^0 uSIRQAD
*   200^0 ChFAABA
*   200^0 ABYAAAB
*   200^0 Z1NldFZ
  {
  LOG="---=== WORM-GIBE $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Gibe
  }


#for Hadra
:0BD
*  -800^0
*   200^0 Enlyyt4
*   200^0 vxTI370
*   200^0 YzPwft/
*   200^0 AAsOe\+9
*   200^0 vwy4SIB
  {
  LOG="---=== WORM-HADRA $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Hadra
  }


#for Generic
:0BD
*  -800^0
*   200^0 QAAdskA
*   200^0 AP8lCBB
*   200^0 EAAAAQA
*   200^0 ///////
*   200^0 AAERGHd
  {
  LOG="---=== WORM-GENERIC $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Generic
  }


#for Scrambler
#Scrambler-a
:0BD
*  -800^0
*   200^0 AIPECIt
*   200^0 iUX8g33
*   200^0 /v//UP8
*   200^0 jY24/v/
*   200^0 AOgrNwA
{ VNSCRAMBLER=yes }
#Scrambler-b
:0BD
*  -800^0
*   200^0 3vBbu95
*   200^0 mbz7CNF
*   200^0 pfYkclT
*   200^0 YnlhI1Q
*   200^0 BpdPoRp
{ VNSCRAMBLER=yes }
:0
* VNSCRAMBLER ?? yes
  {
  LOG="---=== WORM-SCRAMBLER $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Scrambler
  }


#for Apost
:0BD
*  -800^0
*   200^0 ZnBPD2Y
*   200^0 AABWQjU
*   200^0 ZgBFAHg
*   200^0 AGUAYwB
*   200^0 dmJhSHJ
  {
  LOG="---=== WORM-APOST $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Apost
  }
  
      
#for CodeGreen.a
:0BD
*  -800^0
*   200^0 V4k3g8c
*   200^0 AGoA/5U
*   200^0 WYP4/3Q
*   200^0 AABzb2N
*   200^0 OTAldTk
  {
  LOG="---=== WORM-CODEGREEN $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-CodeGreen
  }


#for LastWord
:0BD
*  -800^0
*   200^0 ZqzCAWZ
*   200^0 bHQAAJY
*   200^0 CuMiAAA
*   200^0 zACZmf8
*   200^0 AAAACVX
  {
  LOG="---=== WORM-LASTWORD $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-LastWord
  }    
  
  
#for GOPWorm.153
:0BD
*  -800^0
*   200^0 pxvNrb0
*   200^0 mA9QXdN
*   200^0 bUUw4oQ
*   200^0 K8qezQE
*   200^0 AcIuJ1u
  {
  LOG="---=== WORM-GOPWORM $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-GOPWorm
  }    
  

#for TrojanDownloader.Win32.Ultraset
:0BD
*  -800^0
*   200^0 agGLyFq
*   200^0 Q0AA/xV
*   200^0 cgsAAIh
*   200^0 wAsAAIl
*   200^0 DAaDxAz
  {
  LOG="---=== WORM-ULTRASET $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Ultraset
  }


#for NetThief
:0BD
*  -800^0
*   200^0 9UgwEAZ
*   200^0 i4\+Laz8
*   200^0 zX4He6/
*   200^0 beBX1o\+
*   200^0 8gokJzv
  {
  LOG="---=== WORM-NETTHIEF $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-NetThief
  }  
  
  
#Worm.P2P.VB.ai
#compressed
:0BD
*  -800^0
*   200^0 SMqZ5\+i
*   200^0 s1w2y6R
*   200^0 IM1yQCH
*   200^0 h4Dodon
*   200^0 nhBcBrC
{ VNP2PVBai=yes }
#compressed
:0BD
*  -800^0
*   200^0 AOz7BgD
*   200^0 QgAAYEI
*   200^0 wUIAbcF
*   200^0 DPtCAHf
*   200^0 AGp1QwD
{ VNP2PVBai=yes }
:0
* VNP2PVBai ?? yes
  {
  LOG="---=== WORM-P2P.VB.ai $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-P2PVBai
  }


#for Maldal
#Maldal-c
:0BD
*  -800^0
*   200^0 pVfy9NU
*   200^0 CAAMDAw
*   200^0 /5kA///
*   200^0 AAAABwA
*   200^0 AACZAAA
{ VNMALDAL=yes }
#Maldal-k
:0BD
*  -800^0
*   200^0 CH9wDw9
*   200^0 KDI03fa
*   200^0 rCAjaKR
*   200^0 8pKXQHw
*   200^0 ZICSAaz
{ VNMALDAL=yes }
#Maldal-k-uncompressed
:0BD
*  -800^0
*   200^0 iIiIiIg
*   200^0 AAAACP/
*   200^0 AIAAAIA
*   200^0 3wISFgA
*   200^0 ZSBNaWR
{ VNMALDAL=yes }
:0
* VNMALDAL ?? yes
  {
  LOG="---=== WORM-MALDAL $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Maldal
  }  

  
#for Roron
#51
:0BD
*  -800^0
*   200^0 voSB4Sm
*   200^0 fpwIPzg
*   200^0 kIXOnm5
*   200^0 6aBIeEX
*   200^0 UTBTx6I
{ VNRORON=yes }
#51-uncompressed
:0BD
*  -800^0
*   200^0 FGoBUuj
*   200^0 AIPECIX
*   200^0 99Er\+Yv
*   200^0 aDBxQQB
*   200^0 JgEAjYQ
{ VNRORON=yes }
:0
* VNRORON ?? yes
  {
  LOG="---=== WORM-RORON $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Roron
  }
  
        
}
###### END-OF-TVqQAAM-FAMILY ######


#for Sobig.F-bounces
:0BD
*  -700^0
*   400^0 ^X-MailScanner: Found to be clean
*   400^0 boundary="_NextPart_000_
*   300^0 ^TVqQAAM
*   300^0 virus
*   300^0 sobig
  {
  LOG="---=== WORM-SOBIG-BOUNCE $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Sobig
  }

    
###### START-OF-TVpQAAI-FAMILY ######
:0BD
* ^TVpQAAI
{
#for SirCam
:0BD
*  -800^0
*   200^0 jUTBBIs
*   200^0 fCQIdgS
*   200^0 o4jkQQC
*   200^0 \+///iyw
*   200^0 ZIkhgD1
  {
  LOG="---=== WORM-SIRCAM $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-SirCam
  }


#for Torvil
#Torvil-d
:0BD
*  -800^0
*   200^0 vEHrqPw
*   200^0 xC3aYZq
*   200^0 X2ALv2p
*   200^0 RESiQyw
*   200^0 2vhsRIa
  {
  LOG="---=== WORM-TORVIL $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Torvil
  }
  
    
#for Elkern
#Elkern-b
:0BD
*  -800^0
*   200^0 P\+VR\+9c
*   200^0 6b25uWg
*   200^0 uSmvKqe
*   400^0 qHWNqPQ
  {
  LOG="---=== WORM-ELKERN $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Elkern
  }


#for Magistr (xmm.. upgrades..)
:0BD
*  -800^0
*   200^0 Luj0///
*   200^0 oVgSQgD
*   200^0 /1AIg8Q
*   200^0 agBT6MD
*   200^0 X13DAAA
  {
  LOG="---=== WORM-MAGISTR $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Magistr
  }

  
#for Dumaru-a
:0BD
*  -800^0
*   200^0 \+Wju6sA
*   200^0 gEzZBBs
*   200^0 L7XUF5A
*   200^0 vB4dxDv
*   200^0 TAEEAOw
{ VNDUMARU=yes }
#for Dumaru-c
:0BD
*  -800^0
*   200^0 XQiJA\+5
*   200^0 gEwWKb7
*   200^0 FAQLyXW
*   200^0 DyB/CA\+
*   200^0 JLgD6CH
{ VNDUMARU=yes }
#for Dumaru-g
:0BD
*  -800^0
*   200^0 iQPuYGb
*   200^0 KiuETQw
*   200^0 ot1gMg1
*   200^0 tQcrD8H
*   200^0 QbQkuAO
{ VNDUMARU=yes }
:0
* VNDUMARU ?? yes
  {
  LOG="---=== WORM-DUMARU $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Dumaru
  }

    
#for PWS-LegMir
:0BD
*  -800^0
*   200^0 ChLjx\+I
*   200^0 i/SLBXj
*   200^0 GqlF2CA
*   200^0 hQMdg7j
*   200^0 8McHMRi
{ VNLEGMIR=yes }
#decompressed
:0BD
*  -800^0
*   200^0 i8Pot//
*   200^0 ACv7V1P
*   200^0 aMDlQAD
*   200^0 oRjmQAC
*   200^0 6yaLy4X
{ VNLEGMIR=yes }
:0
* VNLEGMIR ?? yes
  {
  LOG="---=== WORM-LEGMIR $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-LegMir
  }

  
#for MTX
:0BD
*  -800^0
*   200^0 FDJAAP8
*   200^0 dAEAADP
*   200^0 Aw\+ESAE
*   200^0 YW1lPSI
*   200^0 ZXJkYXk
  {
  LOG="---=== WORM-MTX $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-MTX
  }


#for Blebla or SysClock (not aka)
:0BD
*  -800^0
#both
*   200^0 A7ABXlv
*   200^0 AACB5gD
#Blebla
*   200^0 PeBAAAB
#SysClock
*   200^0 PSBBAAB
#both
*   200^0 iXAIgf4
*   200^0 A8H4Aos
  {
  LOG="---=== WORM-BLEBLA $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Blebla
  }

  
#for Happy
:0BD
*  -800^0
*   200^0 AIs97w5
*   200^0 BaIOQgB
*   200^0 AIBu/gF
*   200^0 ///////
*   200^0 BpuNlhc
  {
  LOG="---=== WORM-HAPPY $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Happy
  }


#for Opasoft-a,d
:0BD
*  -800^0
*   200^0 AGoQa(HV|IR)
*   200^0 uP////9
*   200^0 5bj////
*   200^0 7gBQZsd
#Opasoft-a
*   200^0 9D1/AAA
#Opasoft-d
*   200^0 UOjQLwA
  {
  LOG="---=== WORM-OPASOFT $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Opasoft
  }


#for PrettyPark
:0BD
*  -800^0
*   200^0 lBZdKuu
*   200^0 FRjW9x\+
*   200^0 NdbUAVL
*   200^0 yAD/0G4
*   200^0 msWiAPA
{ VNPRETTYPARK=yes }
#some uncompressed variant
:0BD
*  -800^0
*   200^0 A8oD7Oj
*   200^0 wRJ0UIt
*   200^0 x/gOg84
*   200^0 CZ5ICGr
*   200^0 PEiIB8Y
{ VNPRETTYPARK=yes }
:0
* VNPRETTYPARK ?? yes
  {
  LOG="---=== WORM-PRETTYPARK $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-PrettyPark
  }


#for IISWorm
:0BD
*  -800^0
*   200^0 6CNaAAB
*   200^0 RQz88q5
*   200^0 AHUBSGS
*   200^0 3UUAAGS
*   200^0 Q0ZQ6Hf
  {
  LOG="---=== WORM-IISWORM $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-IISWorm
  }
  

#for Sharpei.a
:0BD
*  -800^0
*   200^0 iAAAAIv
*   200^0 dCBtYWt
*   200^0 cnNpb24
*   200^0 ACAAawA
*   200^0 dGUAU2V
  {
  LOG="---=== WORM-SHARPEI $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Sharpei
  }  
    
  
#for Heyya.b
:0BD
*  -800^0
*   200^0 vjKIRAB
*   200^0 xofi2UA
*   200^0 6hZAAOg
*   200^0 MwAAamR
*   200^0 dWVuemF
  {
  LOG="---=== WORM-HEYYA $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Heyya
  }    

    
#for Ganda
:0BD
*  -800^0
*   200^0 oEAAjT1
*   200^0 ECcAAGj
*   200^0 AP8145R
*   200^0 SMHgBYP
*   200^0 AOibBAA
  {
  LOG="---=== WORM-GANDA $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Ganda
  }


#for Icecubes
:0BD
*  -800^0
#Icecubes-a
*   200^0 AFChCzx
*   200^0 MItNKIl
*   200^0 AOiI///
*   200^0 A0YMLW0
*   200^0 //\+D\+AA
  {
  LOG="---=== WORM-ICECUBES $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Icecubes
  }  

  
#for Energy
:0BD
*  -800^0
#Energy-a
*   200^0 LCF\+amA
*   200^0 4Z5EEkX
*   200^0 Xs\+bVnx
*   200^0 /80esdu
*   200^0 w4ySLg9
  {
  LOG="---=== WORM-ENERGY $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Energy
  }    
   
         
}
###### END-OF-TVpQAAI-FAMILY ######
  

###### START-OF-TVpsAAE-FAMILY ######
:0BD
* ^TVpsAAE
{
#for FunnyPics
:0BD
*  -800^0
*   200^0 aWxsQmF
*   200^0 /3X06L0
*   200^0 PAF0CIP
*   200^0 cFIAAHp
*   200^0 Q29tbWF
  {
  LOG="---=== WORM-FUNNYPICS $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-FunnyPics
  }

  
#for Trood
:0BD
*  -800^0
*   200^0 6Yr\+//9
*   200^0 AFBZXuj
*   200^0 QACLDVg
*   200^0 AABJLVd
*   200^0 QAD/Jeh
  {
  LOG="---=== WORM-TROOD $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Trood
  }  
  
  
}
###### END-OF-TVpsAAE-FAMILY ######


###### START-OF-SVRTRgM-FAMILY ######
:0BD
* ^SVRTRgM
{
#for Brit
#Brit
:0BD
*  -800^0
*   400^0 JyaXRuZX
*   200^0 L1RyYW5
*   200^0 YcR4Zy8
*   200^0 YZe9JUh
{ VNBRIT=yes }
#Brit-d
:0BD
*  -800^0
*   400^0 JyaXRuZX
*   200^0 UV86KO6
*   200^0 vizHnV8
*   200^0 NRd\+6wN
{ VNBRIT=yes }
#Brit-h
:0BD
*  -800^0
*   200^0 yWfUfsz
*   200^0 Wob4L\+Y
*   200^0 Sf/SWMh
*   200^0 yRGhgd3
*   200^0 xlLW/PZ
{ VNBRIT=yes }
#Brit-c
:0BD
*  -800^0
*   400^0 NIQUtJUk
*   200^0 F5fz68l
*   200^0 oEiP4kk
*   200^0 rPJ9vjy
{ VNBRIT=yes }
#Brit-b
:0BD
*  -800^0
*   400^0 NBSUZBTkV
*   200^0 Sxn5Ang
*   200^0 TCZ/0VX
*   200^0 WCV3cE+
{ VNBRIT=yes }
:0
* VNBRIT ?? yes
  {
  LOG="---=== WORM-BRIT $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Brit
  }

 
}
###### END-OF-SVRTRgM-FAMILY ######


#for Tanatos aka BugBear (data files and leftovers)
:0BD
* -1000^0
*   200^0 ^qNaGJAD
*   200^0 \+4JY8\+P
*   200^0 6\+UYghj
*   200^0 68n1Ghj
*   200^0 YqjWZmB
*   200^0 ghTr7RQ
  {
  LOG="---=== WORM-BUGBEAR-TANATOS $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Bugbear
  }
  
  
#for Mawanella
:0BD
* -1000^0
*   500^0 ^T24gRXJ
*   250^0 bnQKICB
*   250^0 ICAgICA
*   200^0 ZyAmICJ
*   500^0 [mM]awanella
*   600^0 dirsystem&"\\Mawanella.vbs"
  {
  LOG="---=== WORM-MAWANELLA $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Mawanella
  }

  
#for Aliz
:0BD
* -1000^0
*   300^0 ^TVoAAAI
*   300^0 Z48GGVZ
*   300^0 kZ8x\+Ak
*   300^0 QCCZAWJ
  {
  LOG="---=== WORM-ALIZ $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Aliz
  }
    
  
#for EICAR-AV-TEST file (www.eicar.com)
:0BD
* -1000^0
*  1100^0 ^WDVPIVAlQEFQWzRcUFpYNTQoUF4pN0NDKTd9J
*  1100^0 ^X5O\!P\%@AP\[4\\PZX54\(P\^\)7CC\)7\}\$
  {
  LOG="---=== EICAR TEST NOT A VIRUS $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-EICAR-AV-TEST
  }


#for anything with MS-executable attachment that contains iframe
:0B
* -1000^0
*   500^0 ()<iframe
*   600^0 iframe>
  {
  LOG="---=== IFRAME-EXPLOIT $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Exploit-IFrame
  }


#for anything left with MS-executable
:0
  {
  LOG="---=== COULD-BE-WORM $DATE ===---${NL}"
  :0fhw
  | formail -A "X-YAVR: MS-EXEC"
  
  :0fhw
  | formail -i "Subject: WARNING-MS-EXEC-$SUB"

  :0:
  * YAVRQUARANTEXE ?? ON
  $VIRDIR/virus-could-be
  }

}
#####################################END-OF-SIGNATURE-BASED


# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.


###########################################################
# for e-worms signature-based (zip files only)
###########################################################
:0HB
* ^Content-Type[	 ]*:.*(application|audio|multipart|mixed|alternative|partial|x-zip-compressed)
* name[	 ]*.?[	 ]*=.*\.[	 ]*(zip)(\.....?)?"?[	 ]*$
* ^Content-Transfer-Encoding[	 ]*:.*(base64|quoted-printable|7bit)
{

###### START-OF-UEsDBAo-FAMILY ######
:0BD
* ^UEsDBAo
{

#for Mimail
#Mimail.A
:0BD
*  -800^0
*   200^0 DYlD/It
*   200^0 ImigfkV
*   200^0 Bls0lhq
*   200^0 pNmBThr
*   200^0 JhZCsNz
{ VNMIMAIL=yes }
#Mimail.C
:0BD
*  -800^0
*   200^0 t\+veDgy
*   200^0 /2u5sw3
*   200^0 zfTsPcV
*   200^0 TpwlV8i
*   200^0 7LJjzHw
{ VNMIMAIL=yes }
#Mimail.E
:0BD
*  -800^0
*   200^0 Krfr3g4
*   200^0 hfDH/2u
*   200^0 StzN9KS
*   200^0 oqYVMiS
*   200^0 nVADbAw
{ VNMIMAIL=yes }
#Mimail.F
:0BD
*  -800^0
*   200^0 Krfr3g4
*   200^0 /2tsw77
*   200^0 bGZ7LOw
*   200^0 oqZOnEu
*   200^0 nAwYfDR
{ VNMIMAIL=yes }
#Mimail.G
:0BD
*  -800^0
*   200^0 Krfr3g4
*   200^0 8Mf/a7n
*   200^0 zfTS2cz
*   200^0 ZWamTpy
*   200^0 P2DP6xh
{ VNMIMAIL=yes }
#Mimail.dam 
:0BD
*  -800^0
*   500^0 c$?^?m$?^?V$?^?h$?^?Z$?^?G$?^?5$?^?v$?^?d$?^?y$?^?5$?^?k$?^?b$?^?2$?^?M$?^?u$?^?c$?^?2$?^?N$?^?y$?^?U$?^?E$?^?s$?^?B$?^?A$?^?h$?^?Q$?^?A$?^?C$?^?g
*   500^0 H$?^?J$?^?l$?^?Y$?^?W$?^?R$?^?u$?^?b$?^?3$?^?c$?^?u$?^?Z$?^?G$?^?9$?^?j$?^?L$?^?n$?^?N$?^?j$?^?c$?^?l$?^?B$?^?L$?^?B$?^?Q$?^?Y
{ VNMIMAIL=yes }
:0
* VNMIMAIL ?? yes
  {        
  LOG="---=== WORM-MIMAIL $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Mimail
  }  

  
#for Novarg.zip
#file.zip
:0BD
*  -800^0
*   200^0 5VHAMqc
*   200^0 iMKn1T\+
*   200^0 kbq3P7m
*   200^0 87Gv\+ba
*   200^0 /G7XQ7I
{ VNNOVARG=yes }
#document.zip
:0BD
*  -800^0
*   200^0 U7MafOV
*   200^0 CQLWLoj
*   200^0 XM3X35G
*   200^0 raBmyvO
*   200^0 CP//W/x
{ VNNOVARG=yes }
#message.zip
:0BD
*  -800^0
*   200^0 sxp85VH
*   200^0 AtYuiMK
*   200^0 zdffkbq
*   200^0 oGbK87G
*   200^0 //9b/G7
{ VNNOVARG=yes }
#readme.zip
:0BD
*  -800^0
*   200^0 GnzlUcA
*   200^0 1i6Iwqf
*   200^0 19\+Rurc
*   200^0 Zsrzsa/
*   200^0 /1v8btd
{ VNNOVARG=yes }
#doc.zip
:0BD
*  -800^0
*   200^0 UcAypx\+
*   200^0 wqfVP4p
*   200^0 urc/uZp
*   200^0 sa/5tpQ
*   200^0 btdDsiS
{ VNNOVARG=yes }
#body.zip
:0BD
*  -800^0
*   200^0 NHmh3Bp
*   200^0 XmBJcvX
*   200^0 //4dwgw
*   200^0 f1HJaHm
*   200^0 JluTzgx
{ VNNOVARG=yes }
#doc.zip
:0BD
*  -800^0
*   200^0 aVqmSkq
*   200^0 gxQA14C
*   200^0 RNu1qDg
*   200^0 9gC2PWw
*   200^0 AVxmJQG
{ VNNOVARG=yes }
#body.zip
:0BD
*  -800^0
*   200^0 fgInOAe
*   200^0 fVIyfgC
*   200^0 PwCqwm7
*   200^0 nOZ\+kwK
*   200^0 lr0AFQa
{ VNNOVARG=yes }
#another zip
:0BD
*  -800^0
*   200^0 cwAAgAA
*   200^0 pABJUX4
*   200^0 a/P6HX1
*   200^0 r7kEGj8
*   200^0 8m73Cpz
{ VNNOVARG=yes }
#another zip
:0BD
*  -800^0
*   200^0 Spp\+aUK
*   200^0 gJrXXRK
*   200^0 OACeMCa
*   200^0 bDmjZKS
*   200^0 AbhW4ZL
{ VNNOVARG=yes }
#generic signature just to be sure
:0BD
*  -800^0
*   900^0 /$?^?/$?^?/$?^?/$?^?/$?^?/$?^?d$?^?a$?^?w$?^?C$?^?m$?^?V$?^?B$?^?H$?^?b$?^?r$?^?Y$?^?9$?^?5$?^?c$?^?3$?^?W$?^?H$?^?o$?^?c$?^?v$?^?\+$?^?P$?^?I$?^?r$?^?h$?^?R$?^?7$?^?Y$?^?w$?^?u$?^?0$?^?3$?^?s$?^?m$?^?1$?^?A$?^?0$?^?5$?^?8$?^?K$?^?p$?^?n
*   900^0 /$?^?/$?^?/$?^?/$?^?/$?^?/$?^?3$?^?W$?^?s$?^?A$?^?p$?^?l$?^?Q$?^?R$?^?2$?^?6$?^?2$?^?P$?^?e$?^?X$?^?N$?^?1$?^?h$?^?6$?^?H$?^?L$?^?/$?^?j$?^?y$?^?K$?^?4$?^?U$?^?e$?^?2$?^?M$?^?L$?^?t$?^?N$?^?7$?^?J$?^?t$?^?Q$?^?N$?^?O$?^?f$?^?C$?^?q$?^?Z
*   900^0 /$?^?/$?^?/$?^?/$?^?/$?^?J$?^?\+$?^?q$?^?w$?^?e$?^?U$?^?U$?^?U$?^?5$?^?r$?^?u$?^?T$?^?b$?^?k$?^?w$?^?t$?^?E$?^?f$?^?j$?^?i$?^?z$?^?7$?^?\+$?^?y$?^?q$?^?K$?^?G$?^?d$?^?n$?^?J$?^?6$?^?j$?^?q$?^?7$?^?b$?^?E$?^?1$?^?e$?^?k$?^?A$?^?G$?^?j$?^?f
*   900^0 /$?^?/$?^?/$?^?/$?^?E$?^?8$?^?B$?^?J$?^?d$?^?f$?^?a$?^?D$?^?8$?^?P$?^?8$?^?7$?^?R$?^?C$?^?Q$?^?E$?^?g$?^?9$?^?U$?^?B$?^?O$?^?0$?^?Q$?^?k$?^?C$?^?I$?^?P$?^?V$?^?A$?^?I$?^?k$?^?E$?^?J$?^?O$?^?h$?^?X
{ VNNOVARG=yes }
:0
* VNNOVARG ?? yes
  {        
  LOG="---=== WORM-NOVARG $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Novarg
  }  
  

#for Moodown
:0BD
*  -800^0
*   200^0 DQjrBGo
*   200^0 F5buQ6y
*   200^0 6IjshKS
*   200^0 staF6ga
*   200^0 /YB8Nct
{ VNMOODOWN=yes }
#another zip
:0BD
*  -800^0
*   200^0 lu5DrKA
*   200^0 iOyEpID
*   200^0 1oXqBrG
*   200^0 gHw1y12
*   200^0 gLuf3uL
{ VNMOODOWN=yes }
#another zip
:0BD
*  -800^0
*   200^0 \+xeW7kO
*   200^0 jOiI7IS
*   200^0 kLLWheo
*   200^0 1P2AfDX
*   200^0 7NSAu5/
{ VNMOODOWN=yes }
#another zip
:0BD
*  -800^0
*   200^0 rKAUal9
*   200^0 pIDkyJE
*   200^0 BrG2wQw
*   200^0 y12NBHW
*   200^0 3uLJ4gJ
{ VNMOODOWN=yes }
:0
* VNMOODOWN ?? yes
  {
  LOG="---=== WORM-MOODOWN $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Moodown
  }

  
#for Dumaru-k
:0BD
*  -800^0
*   200^0 yrsA6tO
*   200^0 8P7\+kXF
*   200^0 V1lHf2F
*   200^0 6YkYBCS
*   200^0 6hGL2bp
  {
  LOG="---=== WORM-DUMARU $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Dumaru
  }


}
###### END-OF-UEsDBAo-FAMILY ######



###### START-OF-UEsDBBQ-FAMILY ######
:0BD
* ^UEsDBBQ
{

#for Mimail
#Mimail.M
:0BD
*  -800^0
*   200^0 Ja2AGLt
*   200^0 Sr75CbN
*   200^0 lGonaYF
*   200^0 \+E5NYlp
*   200^0 YrNN/mr
  {        
  LOG="---=== WORM-MIMAIL $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Mimail
  }  

  
#for Dropper.Mimail.b (had it with Torvil.d)
:0BD
*  -800^0
*   200^0 SRmUewf
*   200^0 QqGUjzm
*   200^0 b8aomjo
*   200^0 c/jEWtY
*   200^0 N3WlMVw
  {        
  LOG="---=== WORM-TORVIL $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Torvil
  }  
  
}  
###### END-OF-UEsDBBQ-FAMILY ######
  

#for Sobig-gen (Sobig-e is sent as a zip file with name your_details.zip)
:0HB
* name="your_details.zip"
{
:0BD
* -1000^0
*   200^0 ^UEsDBBQ
*   900^0 Z$?^?G$?^?V$?^?0$?^?Y$?^?W$?^?l$?^?s$?^?c$?^?y$?^?5$?^?w$?^?a$?^?W
  {
  LOG="---=== WORM-SOBIG $DATE ===---${NL}"
  :0:
  $VIRDIR/virus-Sobig
  }
}
  
          
}
###################################END-OF-SIGNATURE-BASED-2


# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.


###########################################################
# attachment doc,dot,xls,xla with MACRO code
# delivers e-mail normally but with a warning at subject
###########################################################
:0HB
* ^Content-Type[	 ]*:.*(application|audio|multipart|mixed|alternative|partial)
* name[	 ]*[*]?[	 ]*=.*\.[	 ]*(do[tc]|xl[sa]|rtf|\{[-0-9a-f]+\})(\.....?)?"?[	 ]*$
* ^Content-Transfer-Encoding[	 ]*:.*base64
{
:0BD
* -1000^0
#Office Documents header
*   500^0 ^0M8R4KGxGuEAAAAAAAAAAA............ADAP7/CQAG
*   400^0 A$?^?F$?^?Q$?^?A$?^?a$?^?A$?^?B$?^?p$?^?A$?^?H$?^?M$?^?A$?^?R$?^?A$?^?B$?^?v$?^?A$?^?G$?^?M$?^?A$?^?d$?^?Q$?^?B$?^?t$?^?A$?^?G$?^?U$?^?A$?^?b$?^?g$?^?B$?^?0
*   400^0 A$?^?V$?^?w$?^?B$?^?v$?^?A$?^?H$?^?I$?^?A$?^?a$?^?w$?^?B$?^?i$?^?A$?^?G$?^?8$?^?A$?^?b$?^?w$?^?B$?^?r$?^?A
*   400^0 A$?^?F$?^?c$?^?A$?^?b$?^?w$?^?B$?^?y$?^?A$?^?G$?^?s$?^?A$?^?Y$?^?g$?^?B$?^?v$?^?A$?^?G$?^?8$?^?A$?^?a$?^?w$?^?A
*   550^0 A$?^?X$?^?w$?^?B$?^?W$?^?A$?^?E$?^?I$?^?A$?^?Q$?^?Q$?^?B$?^?f$?^?A$?^?F$?^?A$?^?A$?^?U$?^?g$?^?B$?^?P$?^?A$?^?E$?^?o$?^?A$?^?R$?^?Q$?^?B$?^?D$?^?A$?^?F$?^?Q$?^?A
*   550^0 A$?^?F$?^?Y$?^?A$?^?Q$?^?g$?^?B$?^?B$?^?A$?^?F$?^?8$?^?A$?^?U$?^?A$?^?B$?^?S$?^?A$?^?E$?^?8$?^?A$?^?S$?^?g$?^?B$?^?F$?^?A$?^?E$?^?M$?^?A$?^?V$?^?A
*   550^0 A$?^?F$?^?8$?^?A$?^?V$?^?g$?^?B$?^?C$?^?A$?^?E$?^?E$?^?A$?^?X$?^?w$?^?B$?^?Q$?^?A$?^?F$?^?I$?^?A$?^?T$?^?w$?^?B$?^?K$?^?A$?^?E$?^?U$?^?A$?^?Q$?^?w$?^?B$?^?U$?^?A
  {
  LOG="---=== CONTAINS-ATTACHMENT-WITH-MACRO-CODE SCORE:$= $DATE ===---${NL}"
  :0fhw
  | formail -A "X-YAVR: MACRO"
  
  :0fhw
  | formail -i "Subject: WARNING-MACRO-$SUB"
  }
}
##########################################END-OF-MACRO-SCAN


# - viral signatures are especially selected, DO NOT CHANGE.
# - if you intent to use them please give appropriate credits to people that worked for those.


###########################################################
# execution of apps using xml objects
# external execution of apps with iframe
# delivers e-mail normally but with a warning at subject
###########################################################
:0HB
* ^Content-Type[	 ]*:.*(html|htm|hta)
* ^Content-Transfer-Encoding[	 ]*:.*(quoted-printable|7bit)
{
#for xml
:0B
* -1000^0
*   500^0 ()<object
*   300^0 codebase
*   300^0 data
*   300^0 (file:/)?.*[a-z]?:/
*   100^0 classid
*   100^0 clsid:[-0-9a-f]+
  {
  LOG="---=== CONTAINS-XML-CODEBASE-OBJECT SCORE:$= $DATE ===---${NL}"
  :0fhw
  | formail -A "X-YAVR: XML-CODEBASE"
  
  :0fhw
  | formail -i "Subject: WARNING-XML-CODEBASE-OBJECT-$SUB"
  }

#for iframe
:0B
* -1000^0
*   500^0 ()<iframe
*   600^0 iframe>
  {
  LOG="---=== CONTAINS-IFRAME $DATE ===---${NL}"
  :0fhw
  | formail -A "X-YAVR: IFRAME"
  
  :0fhw
  | formail -i "Subject: WARNING-IFRAME-$SUB"
  }
}
##############################END-OF-IFRAME-AND-XML-OBJECTS



###########################################################
# execution of apps with hidden CLSID extension
# delivers e-mail normally but with a warning at subject
###########################################################
:0HB
* ^Content-Type[	 ]*:.*(text)
* name[	 ]*.?[	 ]*=.*\.[	 ]*\{[-0-9a-f]+\}(\.....?)?"?[	 ]*$
{
 LOG="---=== CONTAINS-CLSID-EXT $DATE ===---${NL}"
 :0fhw
 | formail -A "X-YAVR: CLSID-EXTENSION"
 
 :0fhw
 | formail -i "Subject: WARNING-CLSID-EXTENSION-$SUB"
}
###############################################END-OF-CLSID



###########################################################
# possible sendmail header exploit trap
# credits to Fredrik Rodland
###########################################################
:0H
* ^(From|To|CC|Reply-To|Resent-From): .*<>.*<>.*<>.*<>.*<>.*\(.*\)
{
 LOG="---=== POSSIBLE-SENDMAIL-HEADER-EXPLOIT $DATE ===---${NL}"
 :0fhw
 | formail -A "X-YAVR: SENDMAIL-EXPLOIT"

 :0fhw
 | formail -i "Subject: WARNING-SENDMAIL-EXPLOIT-$SUB"
}
#############################END-OF-SENDMAIL-HEADER-EXPLOIT



###########################################################
# Nigeria Scam Filter
# will catch most of those
###########################################################
:0
* NIGSCAM ?? ON
{
:0HB
* ^Content-Type[	 ]*:.*(text|html|htm)
* ! name[	 ]*[*]?[	 ]*=.*\.(do[tc]|xl[sa]|bat|vb[as]|scr|com|exe|cmd|pp[sa]|md[abwe]|zip|jpg|gif|tif|png|rar|rtf)"?[	 ]*$
{
:0HB
* -1000^0
*   300^0 ^Subject[	 ]*:.*(CALL ME(:)?( )*[-0-9]|INHERITANCE|LUCK(Y)?|COL(L)?ABORATION|\
                               PLEA(SE)?|URGENT( )*(RESPON(D|SE)|REPLY|Overture)?|AS(S)?ISTANCE|BEQUEST|\
                               PARTNERSHIP|PROPOSAL|TRANSACTION|DIAMOND|CONFIDENTIAL(ITY)?|\
                               TRUST(EE)?|SOLICITION|(NEED)?( )*(YOU(R)?|UR)?( )*(HELP|AS(S)?ISTANCE)( )*(NEED(ED)?)?|\
                               BUSINESS( )*OFFER|TRHL( )*Retains( )*Sky( )*Investor( )*Relations|REQUEST( )*FROM( )*MBONGO|\
                               (MUTUAL|URGENT)( )*(BUSINESS)?( )*ASSISTANCE( )*(NEEDED)?|\
                               PLEASE( )*ENDEAVOUR( )*TO( )*USED( )*IT( )*FOR( )*THE( )*CHILDREN( )*OF( )*GOD|Lati( )*frank|\
                               CRY( )*FOR( )*HELP|Hopefully( )*Awaiting( )*Your( )*Reply( )*Now)
*   900^1 (TOGOLAISE|Africa|Nigeria|Congo|Zimbabwe)(n)?( )*$?^?(National)?( )*$?^?((Petrol(l)?eum( )*$?^?(Corporation|company))|(Chamber( )*$?^?of( )*$?^?Commerce)|((Development)?( )*$?^?(Bank(s)?|Export)))
*   900^1 DEPARTMENT( )*$?^?OF( )*$?^?PETROL(L)?EUM( )*$?^?RESOURCES
*   900^1 (Central|Union|international)?( )*$?^?Bank( )*$?^?of( )*$?^?(Nigeria|ivory( )*$?^?coast|Africa|Lagos|Congo|Zimbabwe)( )*$?^?(Lome( )*$?^?Togo)?
*   900^1 Banque( )*$?^?Internationale( )*$?^?du( )*$?^?Abidjan
*   900^1 Revolutionary( )*$?^?People(')?s( )*$?^?Front( )*$?^?(of( )*$?^?the( )*$?^?republic( )*$?^?of)?( )*$?^?Sierra Leone
*   900^1 ECONOMIC( )*$?^?COM(M)?UNITY( )*$?^?OF( )*$?^?(WEST)?( )*$?^?AFRICA(N)?( )*$?^?STATE(S)?
*   900^1 Nigeria(n)?( )*$?^?(Federal)?( )*$?^?Ministry( )*$?^?of( )*$?^?Works( )*$?^?and( )*$?^?Housing
*   900^1 BE( )*$?^?A(N)?( )*$?^?(INTERNET)?( )*$?^?(MIL|BIL)(L)?IONAIRE
*   900^1 SENDING( )*$?^?BULK( )*$?^?E-MAIL( )*$?^?LEGALLY
*   900^1 SOURCES( )*$?^?OF( )*$?^?DIAMONDS
*   900^1 Diamond( )*$?^?Min(n)?ing
*   900^1 Min(n)?ing( )*$?^?(co(-)?operation|company|Corporation)
*   900^1 (co(-)?operation|company|Corporation)( )*$?^?OF( )*$?^?(GOLD|COCOA)( )*$?^?(AND|&)( )*$?^?(GOLD|COCOA)
*   900^1 Africa(n)?( )*$?^?Peace( )*$?^?Keeping( )*$?^?Forces
*   900^1 Arab( )*$?^?Contractors( )*$?^?Company( )*$?^?of( )*$?^?Egypt
*   900^1 Unit(a|ed)( )*$?^?Forces( )*$?^?of( )*$?^?Angola
*   900^1 late( )*$?^?president( )*$?^?of( )*$?^?(Angola|Africa|Nigeria|Congo|Zimbabwe)
*   900^1 South( )*$?^?Africa(n)?( )*$?^?Ministry( )*$?^?of( )*$?^?Energy( )*$?^?and( )*$?^?Mineral( )*$?^?Resources
*   900^1 Republic( )*$?^?of( )*$?^?South( )*$?^?Africa(n)?( )*$?^?Contract( )*$?^?Award( )*$?^?and( )*$?^?Monitoring( )*$?^?Commitee
*   900^1 YOUR( )*$?^?FULL( )*$?^?SURPPORT( )*$?^?AND( )*$?^?C-O-O-P-E-R-A-T-I-O-N
*   900^1 Chief( )*$?^?of( )*$?^?Military( )*$?^?Tactics( )*$?^?(with|of)( )*$?^?the( )*$?^?Government( )*$?^?of( )*$?^?Senegal
*   900^1 Federal( )*$?^?Ministry( )*$?^?of( )*$?^?(Housing|Works)( )*$?^?and( )*$?^?(Housing|Works)
*   900^1 MINISTRY( )*$?^?OF( )*$?^?URBAN( )*$?^?AND( )*$?^?RURAL( )*$?^?DEVELOPMENT
*   900^1 ANGOLA( )*$?^?UNITA( )*$?^?MOVEMENT
*   900^1 Director( )*$?^?of( )*$?^?Army( )*$?^?Finance( )*$?^?Accounts
*   900^1 PERMA( )*$?^?GOLD( )*$?^?MINNIG( )*$?^?COMPANY
*   900^1 Operations( )*$?^?of( )*$?^?Transworld( )*$?^?securities
*   900^1 Niger( )*$?^?Delta( )*$?^?Development( )*$?^?Corporation
*   900^1 AFRICAN( )*$?^?CONTINENTAL( )*$?^?BANK
*   900^1 TOTAL( )*$?^?LIBERATION( )*$?^?OF( )*$?^?ANGOLA
*   900^1 (Terminate|ELIMINATE)( )*$?^?YOUR( )*$?^?CREDIT( )*$?^?CARD( )*$?^?DEBT
*   900^1 TRHL( )*$?^?(-)?( )*$?^?Retains( )*$?^?Sky( )*$?^?Investor( )*$?^?Relations
*   900^1 South( )*$?^?Africa( )*$?^?Civil( )*$?^?Service( )*$?^?Code( )*$?^?of( )*$?^?Conduct
*   900^1 FORMER( )*$?^?HEAD( )*$?^?OF( )*$?^?STATE( )*$?^?AND( )*$?^?PRESIDENT( )*$?^?OF( )*$?^?PHILIPPINES
*   900^1 Shell( )*$?^?Development( )*$?^?Company( )*$?^?(in|of)( )*$?^?Nigeria
*   900^1 son( )*$?^?of( )*$?^?the( )*$?^?late( )*$?^?Democratic( )*$?^?Republic( )*$?^?of( )*$?^?Congo( )*$?^?President
*   900^1 EXECUTIVE( )*$?^?DIRECTOR( )*$?^?\(FINANCE\)( )*$?^?OF( )*$?^?THE( )*$?^?NIGER-DELTA( )*$?^?DEVELOPMENT( )*$?^?COMMISSION
*   900^1 FEDERAL( )*$?^?REPUBLIC( )*$?^?OF( )*$?^?NIGERIA
*   900^1 THE( )*$?^?APEX( )*$?^?BANK( )*$?^?OF( )*$?^?NIGERIA
*   900^1 the( )*$?^?former( )*$?^?chief( )*$?^?whip( )*$?^?of( )*$?^?the( )*$?^?ruling( )*$?^?political( )*$?^?party( )*$?^?ANC
*   900^1 theTotal( )*$?^?Independence( )*$?^?of( )*$?^?Angola
*   900^1 Deputy( )*$?^?Minister( )*$?^?of( )*$?^?Minerals( )*$?^?and( )*$?^?Energy
*   900^1 Bank( )*$?^?here( )*$?^?in( )*$?^?Dubai( )*$?^?United( )*$?^?Arab( )*$?^?Emirates
*   900^1 the( )*$?^?African( )*$?^?Area( )*$?^?Director( )*$?^?of( )*$?^?SIL( )*$?^?International
*   900^1 awarding( )*$?^?committee( )*$?^?with( )*$?^?Federal( )*$?^?Maritime( )*$?^?Authority
*   900^1 (of)?( )*$?^?President( )*$?^?Charles( )*$?^?Taylor( )*$?^?(of)?( )*$?^?(Liberia)?
*   900^1 CHAIRMAN( )*$?^?PETROLEUM( )*$?^?\(SPECIAL\)( )*$?^?TRUST( )*$?^?FUND
*   900^1 (Accountant|CHAIRMAN)( )*$?^?in( )*$?^?Oil( )*$?^?Refinery( )*$?^?in( )*$?^?Durra
*   900^1 President( )*$?^?Obasanjo( )*$?^?in( )*$?^?Nigeria
*   900^1 Glamour( )*$?^?Gold( )*$?^?and( )*$?^?Diamond( )*$?^?Mine( )*$?^?company
*   900^1 DIAMOND( )*$?^?SAFARIES( )*$?^?COMPANY( )*$?^?LIMITED
*   900^1 Togo( )*$?^?of( )*$?^?West( )*$?^?Africa
*   900^1 PLEASE( )*$?^?ENDEAVOUR( )*$?^?TO( )*$?^?USE(D)?( )*$?^?IT( )*$?^?FOR( )*$?^?THE( )*$?^?CHILDREN( )*$?^?OF( )*$?^?GOD
*   900^1 rebel( )*$?^?leader( )*$?^?in( )*$?^?Angola
*   900^1 Estrada( )*$?^?the( )*$?^?former( )*$?^?president( )*$?^?of( )*$?^?Philippine
*   900^1 contact( )*$?^?via( )*$?^?the( )*$?^?Chamber( )*$?^?of( )*$?^?commerce( )*$?^?here( )*$?^?in( )*$?^?Benin
*   900^1 my( )*$?^?late( )*$?^?Father( )*$?^?kept( )*$?^?for( )*$?^?me( )*$?^?and( )*$?^?my( )*$?^?(late)?( )*$?^?mother( )*$?^?in( )*$?^?a( )*$?^?deposit( )*$?^?house( )*$?^?before( )*$?^?he( )*$?^?was( )*$?^?assasinated( )*$?^?by( )*$?^?unknow( )*$?^?persons
*   600^1 My( )*$?^?father( )*$?^?had( )*$?^?a( )*$?^?bullet( )*$?^?shot( )*$?^?by( )*$?^?the( )*$?^?rebels
*   600^1 a( )*$?^?merchant( )*$?^?in( )*$?^?Dubai,( )*$?^?in( )*$?^?the( )*$?^?U\.A\.E\.I( )*$?^?have( )*$?^?been( )*$?^?diagnosed( )*$?^?with
*   500^1 who( )*$?^?worked( )*$?^?with( )*$?^?Senegalise( )*$?^?Embassy( )*$?^?in( )*$?^?South( )*$?^?Africa
*   500^1 As( )*$?^?you( )*$?^?read( )*$?^?this,( )*$?^?I( )*$?^?don't( )*$?^?want( )*$?^?you( )*$?^?to( )*$?^?feel( )*$?^?sorry( )*$?^?for( )*$?^?me,( )*$?^?because,( )*$?^?I( )*$?^?believe( )*$?^?everyone( )*$?^?will( )*$?^?die( )*$?^?someday
*   300^1 (manager)?( )*$?^?(of)?( )*$?^?Bill( )*$?^?and( )*$?^?Exchange( )*$?^?(manager)?
*   300^1 Foreign( )*$?^?Remmittance( )*$?^?Department
*   300^1 organization( )*$?^?of( )*$?^?africa(n)?( )*$?^?unity
*   300^1 Ned( )*$?^?credit( )*$?^?Bank( )*$?^?Johannesburg
*   300^1 National( )*$?^?Electric( )*$?^?Power( )*$?^?Authority
*   300^1 (all|pan)( |-)?Africa(n)?( )*$?^?games
*   300^1 This( )*$?^?is( )*$?^?COMPLETE( )*$?^?DEBT( )*$?^?ELIMINATION
*   300^1 (Nigeria|Lagos|Congo|Zimbabwe|Ngala|Gwoza|Nguru|\<Kano\>|Yankari|Kamuku|Kainjii|Pategi|Ibadan|Oshogbo|\
          Onitsha|Obudu|Abuja|Sierra( )*$?^?(-)?( )*$?^?Leone|(Jude|JOSEPH)( )*$?^?Estrada|Abacha|DOUGLAS( )*$?^?OKORO|\
          LAMBERTGUIE|(GILBERT|ROBERT)( )*$?^?GUIE|Donald( )*$?^?Kayode|dkayode|Ugo( )*$?^?Nzego|ABIDJAN|\
          COTE( )*$?^?D'VOIRE|KUMALO( )*$?^?DILIZA|Folade( )*$?^?Musa|Arthur( )*$?^?Neilson|Gbenga( )*$?^?Daniels|\
          Musa( )*$?^?Koffi|MANUEL( )*$?^?MIGUEL( )*$?^?GONZALEZ|Samuel( )*$?^?Savimbi|KENNETH( )*$?^?KABILA|\
          Jean( )*$?^?Alex( )*$?^?Samba|Coker( )*$?^?Bulus|Shaw( )*$?^?Bedie|ABDUL( )*$?^?JOSE|Olu( )*$?^?Thomas|\
          Anderson( )*$?^?K\.( )*$?^?Eseimoku|SALIM( )*$?^?MANTU|Dan( )*$?^?Malangko|mbongo|bethizuli|JONAS( )*$?^?SAVIMBI\
          Patti( )*$?^?Freeman|Abdeen( )*$?^?Farakhan|Pius( )*$?^?Mdefi|DODO( )*$?^?ADA|mrdodoada|LUISA( )*$?^?PIMENTEL|\
          luisaestrada01|JOSEPH( )*$?^?EJERCITO|Samuel( )*$?^?Ojukwu|EMMANUEL( )*$?^?(Kishali)?( )*$?^?KABILA|Rashidi( )*$?^?Kasereke|\
          mrabdkhan|TIMI( )*$?^?ALAIBE|(Manacha|Tony)( )*$?^?Yengeni|(Joseph|Malheiro)( )*$?^?Savimbi|Antonio( )*$?^?Dembo|\
          Carlos( )*$?^?Morgado|Rekiya( )*$?^?Koroma|kennethkoroma|0031630817302|Paullina( )*$?^?Williams|paulina_williams|\
          robert_smith|shabangu_susan|(susan|Ndelebe|Nkosi)( )*$?^?shabangu|shabangususan|THABO( )*$?^?MBEKI|barristerjones|\
          (Abdul|Kadir)( )*$?^?Gaya|abusadiq_|Jumai( )*$?^?(A\.)?( )*$?^?Sadiq|rtaylorttt|pauljimmy|herunuwarsito|\
          Heru( )*$?^?Nurwasito|Col( )*$?^?David( )*$?^?Wong|sani_sale_usman|SANI( )*$?^?(SALE)?( )*$?^?USMAN|Salah( )*$?^?(Tarek)?( )*$?^?Ahmed|\
          Husman( )*$?^?Collins|(AMINA|Musa)( )*$?^?KEITA|LOI( )*$?^?\.C\.( )*$?^?ESTRADA|paulinawilliams@webmail\.co\.za|\
          Usman( )*$?^?Bello|Lati( )*$?^?frank|Serena( )*$?^?Jones|brwanna|Jonas( )*$?^?Savimbi|(Patrick|Weah)( )*$?^?Addo|\
          addo4real|estradalo|Louisa( )*$?^?Ejercitor( )*$?^?Estrada|millicent\.will|MILLICENT( )*$?^?(Hannah)?( )*$?^?(Alfred)?( )*$?^?WILLIAMS|\
          (alex|ROGGERS)( )*$?^?mbali|Solonom( )*$?^?Kabila|soka@zilvia\.net)
*   300^1 (URGENT|CONFIDENTIAL)( )*$?^?(AND|&)( )*$?^?(URGENT|CONFIDENTIAL)
*   300^1 (absolute|utmost|your)( )*$?^?(secrecy|confidentiality)( )*$?^?(and|,)?( )*$?^?(secrecy|confidentiality)?
*   300^1 assures( )*$?^?you( )*$?^?lots( )*$?^?of( )*$?^?money
*   300^1 MILLION(S)?( )*$?^?(OF)?( )*$?^?CASH
*   300^1 worked( )*$?^?with( )*$?^?Kuwait( )*$?^?embassy( )*$?^?in( )*$?^?Ivory( )*$?^?Coast
*   300^1 HEAD( )*$?^?OF( )*$?^?STATE( )*$?^?OF( )*$?^?IVORY( )*$?^?COAST
*   300^1 security( )*$?^?company( )*$?^?in( )*$?^?Amsterderm( )*$?^?Holland
*   300^1 Chairman( )*$?^?of( )*$?^?the( )*$?^?National( )*$?^?Chiropractic( )*$?^?Health( )*$?^?Care( )*$?^?Advisory( )*$?^?Committee
*   300^1 (former)?( )*$?^?president( )*$?^?of( )*$?^?Philippines
*   200^1 (Democratic)?( )*$?^?Republic( )*$?^?Of( )*$?^?Congo
*   200^1 Philippines( )*$?^?Telecommunication( )*$?^?Network( )*$?^?services
*   200^1 ([MB]illion|thousand|Hundred)( )*$?^?(United( )*$?^?State(s)?|U\.S|US|U S|U\. S\.)?( )*$?^?(US)?dollars
*   200^1 (Federal)?( )*$?^?(Republic|(Central)?( )*$?^?Bank|Ministry|chamber)( )*$?^?of( )*$?^?(Works|Power|commerce|industry|Steel)?( )*$?^?(and|&)( )*$?^?(Works|Power|commerce|industry|Steel)?
*   200^1 Engineering( )*$?^?Stores( )*$?^?Department
*   200^1 chambers( )*$?^?of( )*$?^?commerce( )*$?^?and( )*$?^?industry
*   200^1 secure( )*$?^?the( )*$?^?fund
*   200^1 SOLICITING( )*$?^?(FOR)?( )*$?^?YOUR( )*$?^?ASSISTANCE
*   200^1 (this|the)( )*$?^?transaction
*   200^1 foreign( )*$?^?account
*   200^1 (no)?( )*$?^?risk( )*$?^?(is)?( )*$?^?(involved|free)
*   200^1 Angolan( )*$?^?Government
*   200^1 Bank( )*$?^?account( )*$?^?(in)?( )*$?^?the( )*$?^?Cayman( )*$?^?Islands
*   200^1 Former( )*$?^?Finance( )*$?^?Minister
*   200^1 Republic( )*$?^?of( )*$?^?Gabon
*   200^1 MAGNUM( )*$?^?TRUST( )*$?^?FINANCE( )*$?^?AND( )*$?^?SECURITY( )*$?^?SERVICES
*   200^1 TREAT( )*$?^?THIS( )*$?^?PROPOSAL( )*$?^?AS( )*$?^?TOP( )*$?^?SECRET
*   100^1 (business)?( )*$?^?(highly|strictly)( )*$?^?confidential
*   100^1 top( )*$?^?secret
*   100^1 urgent( )*$?^?(respon(d|se)|reply)]
*   100^1 Please( )*$?^?confirm( )*$?^?the( )*$?^?receipt( )*$?^?of( )*$?^?this( )*$?^?mail( )*$?^?URGENTLY
  {
  NKNGS=$=
  LOG="---=== NIGERIA-SCAM SCORE:$NKNGS $DATE ===---${NL}"
  
  :0fhw
  | formail -A "X-YAVR: NIGERIA"
  
  :0fhw
  | formail -i "Subject: WARNING-NSCAM-SCORE:$NKNGS-$SUB"
  
  :0:
  * YAVRQUARANTNIG ?? ON
  $NIGDIR
  }
}
}
########################################END-OF-NIGERIA-SCAM



###########################################################
# Porn Spam Filter
# will catch some of those
###########################################################
:0
* PORNSPAM ?? ON
{
:0HB
* ^Content-Type[	 ]*:.*(text|html|htm)
* ! name[	 ]*[*]?[	 ]*=.*\.(do[tc]|xl[sa]|bat|vb[as]|scr|com|cmd|exe|pp[sa]|md[abwe]|zip|tif|png|rar|rtf)"?[	 ]*$
{
:0HB
* -1000^0
*   400^0 ^Subject[	 ]*:.*( porn  | cum |penis|viagra|free( )*sex|enlargement( )*pill|BETTER( )*SEX)
*   900^1 penis( )*$?^?enlargement
*   900^1 Strengthen( )*$?^?your( )*$?^?erections
*   900^1 enlargement( )*$?^?pill
*   900^1 erections( )*$?^?ANY( )*$?^?TIME
*   900^1 orgasm( )*$?^?after( )*$?^?orgasm
*   900^1 Super( )*$?^?Virility( )*$?^?pills
*   900^1 MILF( )*$?^?Rider
*   900^1 penis( )*$?^?patches
*   900^1 (V_I_A_G_R_A|v-i-a-g-r-a)
*   900^1 Generic( )*$?^?viagra
*   900^1 Bigger( )*$?^?Penis
*   900^1 Increase( )*$?^?Your( )*$?^?Penis( )*$?^?Width
*   900^1 paris( )*$?^?hilton( )*$?^?video
*   900^1 Porn( )*$?^?(Sharing)?( )*$?^?Software
*   900^1 (fuck|rape)( )*$?^?(this|that)( )*$?^?(pretty|little)?( )*$?^?slut
*   300^1 ( porn | cum |penis| viagra |schoolgirl(s)?|fuck|cock|orgy|incest|rape| anal |asian( )*$?^?(babe|girl)|\
          bestiality|gangbang|blowjob|puss(y|ie)|(Best|multiple)( )*$?^?Orgasm|e-r-e-c-t-i-o-n| erection )
  {
  NKPRNS=$=
  LOG="---=== PORN SCORE:$NKPRNS $DATE ===---${NL}"
  :0fhw
  | formail -A "X-YAVR: PORN"
  
  
  :0fhw
  | formail -i "Subject: WARNING-PORN-SCORE:$NKPRNS-$SUB"
  
  :0:
  * YAVRQUARANTPRN ?? ON  
  $PORNDIR
  }
}
}
###########################################END-OF-PORN-SPAM


###########################################################
#EOF-NIKANT