Microsoft Identifier used in EquationDrug Platform

YARA ---------------------------------------------------------------------------------------

import "pe"

rule EquationDrug_MS_Identifier {
    meta:
        description = "Microsoft Identifier used in EquationDrug Platform"
        author = "Florian Roth @4nc4p"
        date = "2015/03/11"
    strings:
        $s1 = "Microsoft(R) Windows (TM) Operating System" fullword wide
    condition:
        // Epoch for 01.01.2000
        $s1 and pe.timestamp > 946684800
}

-------------------------------------------------------------------------------------------

Comment:
Seems to be a Product string used in Windows NT (please confirm). Compile dates of the samples listed below range from 2001 to 2009. This product string should not appear in system files of newer Windows versions (2000+).

Tested against:
Windows 2003
Windows 2008
Windows XP
Windows 7

Google Search:
https://www.google.de/search?q=%22Microsoft(R)+Windows+(TM)+Operating+System%22+inurl:virustotal.com

Matches from the EquationDrug Report:
74de13b5ea68b3da24addc009f84baee - Compiled 2001-2007
8d87a1845122bf090b3d8656dc9d60a8 - Compiled 2008-2009
20506375665a6a62f7d9dd22d1cc9870 - Compiled 2003-2006
c4f8671c1f00dab30f5f88d684af1927 - Compiled 2008
5767b9d851d0c24e13eca1bfd16ea424 - Compiled 2008

Source: (Awesome work by Kaspersky)
http://securelist.com/blog/research/69203/inside-the-equationdrug-espionage-platform/

Advice:
Do not use the "pe" module in productive environments yet.