I modified the DNS pattern, to this:
^.?.?.?.?[\x01\x02].?.?.?.?.?.?[\x01-?][a-z0-9][\x01-?a-z]*[\x02-\x06](cc)[\x01-\x10][\x01\x03\x04\xFF]
And the domain’s .CC are been detected, but need to know if this is written good, or will catch another domain not only .cc
PD: Sorry bad english! 
why would u want to catch .cc domains? i have one
Because, along with other rules of number of connections, I can identify if a user has a computer infected with a virus. When the machine has a virus, this generates a lot of connections and DNS resolution requests like this:
dbpiqlx.cc
pdlcgjpf.com
plhbhbwh.net
xaplvuyw.cc
iidllkvybl.cc
olytatcn.com
izyjofff.com
jovxpxkesy.cc
there are also a lot of .com domains there. you probably won’t block those 
i don´t block .com or .cc or .net, only identify the request, then redirect all traffic of that user to a website, where a inform is infected with virus.