220.127.116.11 - - [19/Apr/2004:12:21:21 -0700] "GET /NULL.IDA?CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC%u0aeb%ub890%uac (and go on, go on).....
'nocase|NC' (no case)
This makes the test case-insensitive, i.e., there is no difference between 'A-Z' and 'a-z' both in the expanded TestString and the CondPattern. This flag is effective only for comparisons between TestString and CondPattern. It has no effect on filesystem and subrequest checks.
What I was trying to say is that it doesn't matter if you send a 200, a 404, a 302 or an 8675309 - this is a virus, not a browser, not a hacker (per se). You're welcome to take up CPU calculating whatever you want when you get this but the virus doesn't care. It is trying to infect a Microsoft IIS server, not be a well behaved HTTP application.