rule VirTool_WinNT_Rootkitdrv_AQ{
	meta:
		description = "VirTool:WinNT/Rootkitdrv.AQ,SIGNATURE_TYPE_PEHSTR_EXT,07 00 07 00 07 00 00 01 00 "
		
	strings :
		$a_02_0 = {55 8b ec 8b 0d 90 01 03 00 8b 40 01 8b 09 83 ec 14 56 8b 34 81 80 3e e9 75 11 8b 45 90 01 01 2b c6 83 e8 05 39 46 01 75 04 33 c0 eb 77 90 00 } //01 00 
		$a_00_1 = {5a 77 51 75 65 72 79 56 61 6c 75 65 4b 65 79 } //01 00 
		$a_00_2 = {5a 77 45 6e 75 6d 65 72 61 74 65 4b 65 79 } //01 00 
		$a_00_3 = {5a 77 43 72 65 61 74 65 46 69 6c 65 } //01 00 
		$a_00_4 = {5a 77 43 72 65 61 74 65 53 65 63 74 69 6f 6e } //01 00 
		$a_00_5 = {4b 65 53 65 72 76 69 63 65 44 65 73 63 72 69 70 74 6f 72 54 61 62 6c 65 } //01 00 
		$a_00_6 = {5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 52 00 6f 00 6f 00 74 00 5c 00 53 00 79 00 73 00 74 00 65 00 6d 00 33 00 32 00 5c 00 76 00 73 00 5f 00 6d 00 6f 00 6e 00 2e 00 64 00 6c 00 6c 00 } //00 00 
	condition:
		any of ($a_*)
 
}