.N W32_Novarg_Worm 	#Policy Name
.L 2 	#Policy structure
.D This policy detects the infection of the W32.Novarg.AA worm.  This worm is a mass-mailing, network-aware worm that has the following file extensions of .exe, .pif, .scr, and .zip. 	#Policy Description
.V 1075174582 	#Policy revision number
.B 2 	#Policy version number
.Z 3 	#Policy ID
.Z 3 	#Policy ID
.R W32_Novarg_Worm_File_Activity 	#Rule Definition
..D This rule detects the creation of files associated with the infection of the W32.Novarg.AA worm. 	#Rule Description
..Z 3 	#Rule ID
..Y  	#Rule Type ID
..V 90 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *shimgapi.dll* 	#Regular text
....C 1 	#Case sensitivity
....Z 1 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....N AMAL=Y,UMAL=Y,FPOS=N	#Record Attributes
....Z 3 	#ID of the clause