Security researchers at F-Secure Corp. today said that 6.5 million Windows PCs have been infected by the "Downadup" or “Kido” worm in the last four days, and that nearly 9 million have been compromised in just over two weeks. In other words the worm also known as "Conficker" is back mostly due to its amazing ability to get around via USB thumb drives.

Downadup is a large family of network worms. They are unusually difficult to remove, especially in case of an internal infection inside a corporate network. Downadup uses several different methods to spread. These include using the recently patched vulnerability in Windows Server Service, guessing network passwords and infecting USB sticks.

The malicious program was first discovered in October 2008. Despite the fact that Microsoft has released a patch, 3.5 million machines have been affected and it is still a major threat to users. Users should ensure they install Microsoft patch MS08-067 and have up to date anti-virus software.

The Downadup or Conficker worm exploits a bug in Microsoft Windows to infect mainly corporate networks, where it potentially exposes infected PCs to hijack. The problem isn't so much with the older version of Conficker (now known as Conficker.A) but with a new flavor, dubbed Conficker.B.

Once run or given access to an unprotected machine, Conficker.B begins searching for other systems or shares within the local network that it can infect. Shared systems, removable drives, or unpatched systems are all eligible targets, as are machines with weak passwords.

Once this worm infects a machine, it protects itself very aggressively. It does this by setting itself to restart very early in the boot-up process of the computer and by setting Access Rights to the files and registry keys of the worm so that the user cannot remove or change them.

Now this new variation of the worm, called also uses a few new additional tricks to help itself spread. The worm self-replicates in a random folder created inside the RECYCLER directory, which is used by the Recycle Bin to store deleted files. The worm then creates an autorun.inf file in the root folder of the drive, and automatically executes if the Autorun feature is enabled, BitDefender researchers said.

Certain TCP functions are also patched to block access to security-related Web sites by filtering every address that contains certain strings, BitDefender reported. This makes it harder to remove because information about it is difficult to gather from an infected computer. Additionally, the sneaky little worm removes all access rights of the user, except execute and directory usage, to protect its files.

The vulnerability affects Microsoft Windows 2000, Windows XP , and Windows Server 2003. Although Microsoft fixed the flaw with one of its rare "out of cycle" updates in late October, about a third of all PCs have not yet been patched, according to Qualys Inc., another security company. Those PCs are the ones being hijacked by the worm.