.N W32_Welchia_B_Worm 	#Policy Name
.L 2 	#Policy structure
.D This policy detects changes on the system associated with the W32.Welchia B and C Worm 	#Policy Description
.V 1077051617 	#Policy revision number
.Z 2887 	#Policy ID
.Z 2887 	#Policy ID
.R Welchia_B_File_Detected 	#Rule Definition
..D This rule detects the creation of files associated with infection of the W32.Welchia.B and Welchia.C worms. 	#Rule Description
..Z 2885 	#Rule ID
..V 90 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *\system32\drivers\svchost.exe* 	#Regular text
....C 1 	#Case sensitivity
....Z 2883 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 2884 	#ID of the clause
.R Welchia_B_Filter 	#Rule Definition
..D This is a filter for the Welchia B Service changes in the registry. 	#Rule Description
..Z 2886 	#Rule ID
..P 	#Stop Rule
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\* 	#Regular text
....T 3145740 	#Regular text
....C 0 	#Case sensitivity
....Z 2888 	#ID of the clause
.R Welchia_B_Service_Added 	#Rule Definition
..D This rule detects the service that Welchia B and C add to an infected system. 	#Rule Description
..Z 2889 	#Rule ID
..V 90 	#Rule Value
..S 	#Select Clause(s)
...G System Message 	#System Message
....T *\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WksPatch*\drivers\svchost.exe* 	#Regular text
....C 1 	#Case sensitivity
....Z 2890 	#ID of the clause
..A  	#Action Clause(s)
...E Record to Event Viewer 	#Record Event
....Z 2891 	#ID of the clause