W32.Dopbot worm strangeness

[hojtsy]

Three major antivirus companies describe the actions of the new Dopbot worm in a quite different way.

Symantec says that it sets:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=Y

Sophos says that it sets:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N

Trend Micro says that it sets:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N

Quite a big difference! Symantec's version decreases security, Sophos's increases. It doesn't seem to be a typo, as this fact is clearly stated on both sites. Regarding the naming: Sophos W32/Dopbot-A = Symantec w32.dopbot.

I am interested which site is correct. Or did they found three completely different samples at exactly the same time?
-hojtsy-

[Randy_Bell]

Quote:

Originally Posted by hojtsy

I am interested which site is correct. Or did they found three completely different samples at exactly the same time?
-hojtsy-

Being a NAV Chauvinist Pig, I will support Symantec!

[Firecat]

Being a former TrendMicro user, I will support Trend

[Ianb]

Looks like Symantec are right. This worm exploits the DCOM vunerability so surely the reg must be set to EnableDCOM=Y

[hojtsy]

Quote:

Originally Posted by Ianb

Looks like Symantec are right. This worm exploits the DCOM vunerability so surely the reg must be set to EnableDCOM=Y

That's not much proof. There were worms in the past which patch/fix a vulnerability after using it to infect the computer.
-hojtsy-

[Firecat]

Now come on...All three companies are mediocre...trust one and only one...KASPERSKY!!!!!