W32.Dopbot worm strangeness

Discussion in 'other anti-virus software' started by hojtsy, Feb 15, 2005.

Thread Status:
Not open for further replies.
  1. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    Three major antivirus companies describe the actions of the new Dopbot worm in a quite different way.

    Symantec says that it sets:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=Y

    Sophos says that it sets:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=2
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N

    Trend Micro says that it sets:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\restrictanonymous=0
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole\EnableDCOM=N

    Quite a big difference! Symantec's version decreases security, Sophos's increases. It doesn't seem to be a typo, as this fact is clearly stated on both sites. Regarding the naming: Sophos W32/Dopbot-A = Symantec w32.dopbot.

    I am interested which site is correct. Or did they found three completely different samples at exactly the same time? :p
    -hojtsy-
     
  2. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Being a NAV Chauvinist Pig, I will support Symantec! :D :D :D
     
  3. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,053
    Location:
    The land of no identity :D
    Being a former TrendMicro user, I will support Trend :p
     
  4. Ianb

    Ianb Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    232
    Location:
    UK
    Looks like Symantec are right. This worm exploits the DCOM vunerability so surely the reg must be set to EnableDCOM=Y
     
  5. hojtsy

    hojtsy Registered Member

    Joined:
    Dec 28, 2003
    Posts:
    351
    That's not much proof. There were worms in the past which patch/fix a vulnerability after using it to infect the computer.
    -hojtsy-
     
  6. Firecat

    Firecat Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    8,053
    Location:
    The land of no identity :D
    Now come on...All three companies are mediocre...trust one and only one...KASPERSKY!!!!!
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.