If accurate, those are fairly staggering numbers for a worm that first \r\nsurfaced in late November. Microsoft issued \r\nan emergency patch to fix the flaw back in October, but many systems likely \r\nremain dangerously exposed.

One reason for this is because businesses will generally test patches before \r\ndeploying them on internal networks to ensure the updates don\'t break custom \r\nsoftware applications. In the meantime, an infected laptop plugged into a \r\nvulnerable corporate network can quickly spread the contagion to all unpatched \r\nsystems inside that network.

But the worm also has methods for infecting systems that are already patched \r\nagainst the Windows vulnerability. According to an analysis last week by \r\nSymantec, the latest versions of Downadup copy themselves to \r\nall removable or mapped drives on the host computer or network. This means that \r\nif an infected system has a USB stick inserted into it, that USB stick will \r\ncarry the infection over to the next Windows machine that reads it. That\'s an \r\nold trick, but apparently one that is apparently still very effective.

Security experts say the worm instructs infected hosts each day to visit one \r\nor more of about 250 potential \r\ncontrol servers -- basically, pseudo-random domain names -- in order to \r\ndownload instructions or malicious software updates from the worm\'s authors. \r\nWith such a system, security experts would have to register all 250 domains each \r\nday in order to kill off the worm, a costly and untenable solution. In contrast, \r\nthe worm authors need only register one of those 250 domains to update all \r\ninfected systems with new instructions and software.

F-Secure arrived at its infection estimates by registering a number of those \r\ndomains, and then watching to see how many infected systems would try to contact \r\nthe control servers. In addition to counting the number of bots reporting in for \r\nduty, researchers found another way to count victim PCs: Turns out, each \r\ninfected host reporting to the control server is configured to report the number \r\nof Windows systems it has succeeded in infecting.

Some experts say F-Secure\'s estimates are grossly inflated. Paul Royal, chief scientist for Damballa, an Atlanta-based security firm that \r\nhas conducted similar tests by registering some of the domains Downadup hosts \r\nare seeking, estimates the total number of infected systems to be between \r\n500,000 and one million.

It's not as though their extrapolation methodology sounds unreasonable, it\'s \r\nnot consistent with what we\'re seeing in terms of volume of hosts hitting\" the \r\ncontrol servers, Royal said.

But Roel Schouwenberg, senior antivirus researcher with \r\nKaspersky Lab Americas, said F-Secure\'s estimates were probably lower than the \r\nactual number of infected systems. He said that\'s in part because infected \r\nsystems reporting the number of machines they have in turn infected only count \r\nthose that have been infested using the Microsoft flaw.

"The model they are using is, as they say, conservative. The actual number of \r\nmachines that have been infected should have been higher,\" Schouwenberg said. \r\n\"As I believe that the importance of the other replication methods is currently \r\nundervalued we could be looking at 10 million compromised machines easily."

Regardless, even if the worm authors of Downadup only control a half million \r\nPCs, that would far eclipse the size of the largest known collection of hacked \r\nPCs on the planet (see Meet \r\nthe New Bots: Will We Get Fooled Again, for a look at this year\'s most \r\nmassive and sophisticated botnets.)

So what diabolical plans does this worm have in store for host systems? Such \r\na network certainly would make a very effective spamming machine for junk e-mail \r\nartists, but Damballa\'s Royal said there are no signs that the infected systems \r\nare being used for spam. Rather, he said, it appears the worm and its subsequent \r\nvariants may have been created for no other purpose than to generate income for \r\npeople who get paid to install rogue anti-virus software, so-called\"scareware" products like "AntivirusXP2009,\" and \"VirusRemover2009."

Royal said the original control server for Downadup used a Web service that \r\nalso was used by a large number of sites that pushed rogue anti-virus products. \r\n

"Plus, the original downloader file installed [by the worm] looked \r\nsuspiciously like the names of the rogue anti-virus installers we\'ve seen,\" \r\nRoyal said. \"That strongly indicates that at the top of this pyramid is someone \r\ntrying to make a lot of money from rogue anti-virus software sales."

It is likely that Microsoft itself will play a major part in cleaning up \r\nafter this worm. As part of its regular Patch \r\nTuesday cycle this week, Microsoft added Downadup to its "malicious software \r\nremoval tool" (MSRT), an optional component that can scan for and remove some of \r\nthe most prevalent threats in circulation today.

Windows users also can reduce their exposure to this worm and other malware \r\nthat piggybacks on USB drives and other removable media by turning off the \r\nAutoplay feature in Windows. I included instructions for doing this in a recent blog post.Microsoft also has instructions for doing this here and here."

The Conflicker worm (also called Downadup by some anti-virus vendors) is \r\nspreading quickly despite the fact that Microsoft released a patch for the \r\nvulnerability back in October. Partly that\'s because many systems have remained \r\nunpatched, but it\'s also because the latest versions have ways of infecting \r\nsystems that have already been patched. Estimates are that up to almost 9 \r\nmillion computers were infected over a four day period.