Currently the Downadup/Conficker virus has infected an estimated 6 percent of PCs worldwide, and researchers are waiting for its climactic "second act" of doom.

So what exactly is the overall plan now that hackers have taken control of so many PCs? That's the question experts are asking now, feeling a confusing mixture of bafflement and astonishment. These same experts are claiming that the Downadup/Conficker virus is a "very well-engineered" piece of malware. In fact, there's speculation that the author of the fast-spreading worm is no novice in malware programming.

"This is a very well-engineered piece of software," said Alfred Huger, vice president of development at Symantec Corp.'s security response group. "It's very well thought out. Whoever wrote it, it's not their first time writing malware. It looks as if the author has had a great deal of experience writing software, and is fully versed in writing network-level code." He even went on to describe the Downadup worm as "downright elegant," meaning the author didn't write the malicious code on the fly.

Experts say that it's the second stage payload that is the source of concern. At the moment, the worm isn't doing anything truly harmful like stealing information or destroying precious hardware. In fact, the worm's only apparent mission is to procreate (or rather build its network of hosts), then remain dormant and wait for further instructions. However, the worm doesn't wait in silence without repercussions: not only does it have the ability to download external malicious code, the worm also blocks infected users from antivirus websites, preventing necessary updates designed to protect the PC from its malicious behavior.

However, F-Secure believes that the infection has peaked. "Today seems better than the day before and we think that growth of Downadup has been curbed. Disinfection of the worm remains a challenge." The company charted yesterday's IP count, logging just over one million unique addresses, with the largest number of infected computers reporting from China (15.1 percent), Russia (13.9 percent), and Brazil (11.9 percent). The company also noted that there may be any number of computers sitting behind a single IP address, so the overall count may be smaller than the actual infected numbers.

But even if Downadup has reached its peak, there's no question that the worm will eventually dump its payload. Just exactly what the worm actually executes remains the big issue, however experts are also wondering what is taking so long for the payload to rear its head. Is the author still waiting to acquire more PCs into the overall network? What's the method to all this madness? "They've obviously put a lot of thought into the worm. They've been very methodical," Huger told ComputerWorld. The overall consensus is that if the author doesn't get down to business soon, some other hacker will dissect the worm and finish the job themselves.

The Downadup worm infects computers by way of file sharing and USB drives, copying itself using Windows' "AutoRun" feature. PCs that are already patched can still get infected, however disabling the AutoRun feature will help deter any malicious infestation.