W32.Dopbot worm strangeness

Discussion in 'other anti-virus software' started by hojtsy, Feb 15, 2005.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Three major antivirus companies describe the actions of the new Dopbot worm in a quite different way.

    Symantec says that it sets:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=Y

    Sophos says that it sets:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N

    Trend Micro says that it sets:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N

    Quite a big difference! Symantec's version decreases security, Sophos's increases. It doesn't seem to be a typo, as this fact is clearly stated on both sites. Regarding the naming: Sophos W32/Dopbot-A = Symantec w32.dopbot.

    I am interested which site is correct. Or did they found three completely different samples at exactly the same time? :p
    -hojtsy-
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Being a NAV Chauvinist Pig, I will support Symantec! :D :D :D
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Being a former TrendMicro user, I will support Trend :p
     
  4. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    Looks like Symantec are right. This worm exploits the DCOM vunerability so surely the reg must be set to EnableDCOM=Y
     
  5. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    That's not much proof. There were worms in the past which patch/fix a vulnerability after using it to infect the computer.
    -hojtsy-
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    7,927
    Location:
    The land of no identity :D
    Now come on...All three companies are mediocre...trust one and only one...KASPERSKY!!!!!
     
Thread Status:
Not open for further replies.