Perhaps calling it DDAY is a little over hyped. Mind you, nothing like the hype associated with people who call the worm du jour "Kama Sutra", which of course is a book that shows a number of different positions to do what some members of the media have done to the name of Win32/VB.NEI!

Anti-virus companies have over a dozen different names for the same worm so the charges of name mangling could be leveled against the AV industry as well. That said, with names like VB.NEI, W32/Small.KI, Win32.Worm.P2P.ABM, and W32.Blackmal.E@mm you can't blame the AV industry for choosing virus names based upon lust for attention.

I'm not sure about one vendor calling it Mywife.d@MM. I'm guessing the next one will be MyExWife.A, Alimony.A@MM, or EvilLawyer.zz@mm. At least it isn't a worm called MyDog.d@MM, in which case the services of a veterinarian would be in order.

Thanks to the Common Malware Enumeration project we can all call it CME-24 (http://cme.mitre.org/data/list.html#24) and sound like we all know the technical name of a carcinogen.

DDAY is what Gadi Evron is saying February third may be for several hundred thousand computer users http://www.eweek.com/article2/0,1895,1915070,00.asp. I have the pleasure of working with Gadi and a great group of people in MWP and DA. There has been a concerted effort to track and assess the impact of this worm. Additionally work has been done to try to mitigate the threat, but users need to take an active role in securing their own PCs as well.

Here at ESET we call this worm the Win32/VB.NEI worm. VB.NEI will deliver its payload on the third of each month beginning in February 2006.

On the third day of each month VB.NEI will overwrite files that have any of the following extensions:

.doc, .xls, .mdb, mde, .ppt, .pps (These are usually Microsoft Office files)
.zip, .rar (These are usually archive files)
.pdf, .psd (These are usually Adobe Acrobat files)
.dmp (These are usually system related diagnostic files)

It looks like there are probably less than 500,000 people in the world infected with this virus, but for those who are it will not be pretty. This is unfortunate because the people who lose data because of this worm are already at great risk due to two significant oversights.

The first oversight is the lack of a back up routine. If the data is backed up the lost files are easily replaced. One doesn't need a virus to lose files - hardware failures or accidents involving fingers and keyboards can cause files to be lost.

The second oversight is failing to use anti-virus software. If you take a look at ESET's virus radar (http://www.virusradar.com/) you will see that this worm ranks third. These statistics show that users of NOD32 are being protected from the threat we see as the third most prevalent in email today (and this week). Are you sending this worm out in email? Is our system infected? Well, no, not if you have the current version of NOD32 with current updates. If you do not use NOD32 and want to make sure that you are not at risk from this worm you can try NOD32 for 30 days at no cost by downloading a fully functional trial version at http://www.nod32.com/download/trial.htm.

Do be sure to back up your data and remember Clinical studies prove that when applied before February 3, 2006 NOD32 can protect you from the harmful effects of CME-24 exposure!

Randy Abrams
Director of Technical Education
ESET LLC