.N W32_Welchia_Worm	#Policy Name
.L 2 	#Policy structure
.D This policy detects changes in the registry associated with the W32.Welchia.Worm	#Policy Description
.V 1052800112 	#Policy revision number
.Z 2195 	#Policy ID
.R W32_Welchia_Worm Activity	#Rule Definition
..D This rule detects the changes in the registry associated with the W32.Welchia Worm.	#Rule Description
..Z 3088 	#Rule ID
..V 90 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *\HKEY_LOCAL_MACHINE\System\*ControlSet*\Services\RpcPatch* 	#Regular text
....C 1 	#Case sensitivity
....Z 3086 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 3087 	#ID of the clause
.R RpcPatch Key-Filter 	#Rule Definition
..D Detects changes to the "HKLM\System\CurrentControlSet\Services\RpcPatch" Key. 	#Rule Description
..Z 3092 	#Rule ID
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\System\*ControlSet*\Services\RpcPatch\*	#Regular text
....T 3145920 	#Regular text
....C 0 	#Case sensitivity
....Z 3289 	#ID of the clause