Three major antivirus companies describe the actions of the new Dopbot worm in a quite different way.

Symantec (http://securityresponse.symantec.com/avcenter/venc/data/w32.dopbot.html) says that it sets:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=Y

Sophos (http://www.sophos.com/virusinfo/analyses/w32dopbota.html) says that it sets:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N

Trend Micro (http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOPBOT%2EA&VSect=T) says that it sets:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N

Quite a big difference! Symantec's version decreases security, Sophos's increases. It doesn't seem to be a typo, as this fact is clearly stated on both sites. Regarding the naming: Sophos W32/Dopbot-A = Symantec w32.dopbot.

I am interested which site is correct. Or did they found three completely different samples at exactly the same time? :P
-hojtsy-

{QUOTE-> I am interested which site is correct. Or did they found three completely different samples at exactly the same time? :P
-hojtsy- <-QUOTE}
Being a NAV Chauvinist Pig, I will support Symantec! ;D ;D ;D

Being a former TrendMicro user, I will support Trend :P

Looks like Symantec are right. This worm exploits the DCOM vunerability so surely the reg must be set to EnableDCOM=Y

{QUOTE-> Looks like Symantec are right. This worm exploits the DCOM vunerability so surely the reg must be set to EnableDCOM=Y <-QUOTE}
That's not much proof. There were worms in the past which patch/fix a vulnerability after using it to infect the computer.
-hojtsy-

Now come on...All three companies are mediocre...trust one and only one...KASPERSKY!!!!!