.N W32_SobigF_Worm	#Policy Name
.L 2	#Policy structure
.D This policy detects the infection of a Windows host by the W32.SobigF.mm.  This worm is a mass-mailing, network-aware worm that sends itself to all the email addresses it finds in the files that have the following extensions; .dbx, .eml, .hlp, .htm, .html, .mht, .wab, and .txt.	#Policy Description
.V 1023479987	#Policy revision number
.B 1	#Policy version number
.Z 14200	#Policy ID
.R W32_SobigF_Registry_Activity	#Rule Definition
..D This rule detects the infection of the W32.SobigF.mm through registry activity.	#Rule Description
..Z 13251	#Rule ID
..V 90	#Rule Value
..S 	#Select Clause(s)
...G System Message	#System Message
....T *HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\TrayX*winppr32.exe*	#Regular text
....C 1	#Case sensitivity
....Z 1	#ID of the clause
..A 	#Action Clause(s)
...E Record to Event Viewer	#Record Event
....Z 3	#ID of the clause.
.R Run Key-Filter 	#Rule Definition
..D Detects changes to the "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" Key. 	#Rule Description
..Z 4693 	#Rule ID
..T 	#Indirect Rule
..V 0 	#Rule Value
..S 	#Select Clause(s)
...Q Select NT Registry Key 	#NT Registry
....T * 	#Regular text
....T \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\*	#Regular text
....T 3145920 	#Regular text
....C 0 	#Case sensitivity
....Z 4729 	#ID of the clause