.N W32_Sasser_Worm 	#Policy Name
.L 2 	#Policy structure
.D This policy detects changes on the system associated with the W32.Sasser Worm. 	#Policy Description
.V 1083606492 	#Policy revision number
.Z 3191 	#Policy ID
.Z 3191 	#Policy ID
.R Sasser_Worm_Activity 	#Rule Definition
..D This rule detects the changes in the registry associated with the W32.Sasser Worm. 	#Rule Description
..Z 3185 	#Rule ID
..V 90 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*avserve.exe* 	#Regular text
....T *\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*avserve2.exe* 	#Regular text
....C 1 	#Case sensitivity
....Z 3183 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 3184 	#ID of the clause
.R Sasser_Worm_Filter 	#Rule Definition
..D Detects changes to the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" Key. 	#Rule Description
..Z 3187 	#Rule ID
..P 	#Stop Rule
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\* 	#Regular text
....T 3145728 	#Regular text
....C 0 	#Case sensitivity
....Z 3186 	#ID of the clause
.R Sasser_File_Detected 	#Rule Definition
..D This rule detects the creation of files associated with infection of the W32.Sasser worm. 	#Rule Description
..Z 3190 	#Rule ID
..V 90 	#Rule Value
..I 	#Ignore Clause(s)
...G System Message 	#System Message
....T *added to check list*	#Regular text
....C 1 	#Case sensitivity
....Z 3192 	#ID of the clause
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *\avserve.exe*File Change* 	#Regular text
....T *\avserve2.exe*File Change* 	#Regular text
....C 1 	#Case sensitivity
....Z 3188 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 3189 	#ID of the clause