/ip firewall mangle print
chain=prerouting action=add-dst-to-address-list protocol=tcp src-address-list=users address-list=virus-ym \
   address-list-timeout=3d layer7-protocol=virus-ym in-interface=lan dst-port=80
/ip firewall layer7-protocol print
1 virus-ym                                            ^get./image.php[ -~\t-\r]*host:.bflmages.com
:foreach x in=[ /ip firewall address-list find list="virus-ym" ] do={ :local a [ /ip firewall address-list get $x address ]; :put $a; }
69.147.83.187
98.136.50.138

/ip firewall filter print
chain=forward action=drop protocol=tcp src-address-list=users layer7-protocol=virus-ym in-interface=lan dst-port=80