It's matching the "res" parts of the HJT logs
Replace
"IE: "Shell"/"Res" Cross Zone Exploit [Kye-U]" and
"Prevent file access [Siamesecat] {Modified by Kye-U}" with the following filters:
Code:
[Patterns]
Name = "Prevent file access [Siamesecat] {Modified by Kye-U}"
Active = TRUE
URL = "(^(\w.|)(castlecops.com|short-media.com/forum)/)"
Bounds = "<(a|img|input|(no|)script|applet|object|area)\s*<(/*|br)>"
Limit = 1000
Match = "*((GetObject|open)\w|)[^a-z0-9]([a-z]:([\\]+{1,*})(*|)|"
"(file://(/|)|(res|shell):|)[^a-z0-9][a-z](:|\|)([/]+{1,*})(*|)|"
"document.open|uploadFile=)*"
Replace = "File Access Removed!"
Name = "IE: "Shell"/"Res" Cross Zone Exploit [Kye-U]"
Active = TRUE
URL = "(^(\w.|)(castlecops.com|short-media.com/forum)/)(^*.(gif|jp(e|)g|png|ico))(^$TYPE(css))"
Limit = 512
Match = "(=|\()$AV(((shell|res)(|2(shell|res)))([:]+{1,3})*)"
""
"&*$SET(Msg=)($TST(svAlert=1)$SET(Msg=$ALERT(IE: "Shell"/"Res" Cross Zone Exploit Detected on:\n\n\u))|)"
"$SET(\9=This exploit can execute possibly malicious programs with permissions of the My Computer Zone."
""
"Version(s) Vulnerable: 6.0 (SP1)"
"http://www.securityfocus.com/bid/9628/info/"
"http://www.securityfocus.com/bid/10943/info/)"
Replace = "$GET(Msg)$SET(Msg=)"
I will include this in my next release. (Perhaps I'll have to implement a bypass list...)