The Conficker.C worm, which captured imaginations and was at the centre of a media frenzy two weeks ago, has finally changed its status. It infected millions of computers around and was programmed to activate them on April 1st to form a peer-to-peer network with the potential to perform complex activities across the internet. Some experts feared that would mean an attack, while others thought it could more reasonably be the usual cyber crime of spreading spam and stealing credit card numbers. April 1st came, the infected computers became active, and they began to search for new instructions as to what to do next. Those instructions never arrived. Until this week.

Experts at Trend Micro are reporting that infected computers received a download from their creators this past Wednesday. There is debate as to what the result of that download is, some feel that it has created a new variant of the Conficker.C virus, while other experts believe it has merely updated the existing one. In either case, the worm has been given a purpose it would seem as is busy in assembling more pieces of code for what some are predicting will be a keylogger that will allow it to record sensitive information from the computers it infects. Whatever the purpose is, it comes with a new date. On May 3rd, the Conficker worm is set to deactivate. Infected computers will still be in a position to receive new updates and instructions, but the spread of the worm itself will cease. Speaking to the sophistication of the worm, Trend Micro says that the new version of Conficker.C is designed to remove all traces of itself from the infected computer and is programmed to test the infected computer’s ability to access the internet by instructing it to try to access popular websites including MySpace.com, CNN.com, eBay.com, etc. but in such a way as to avoid causing online congestion.

Deepening the mystery is the presence of a connection to previous viruses. During the process of updating itself, Conficker.C accessed a server in Korea that is associated with the Waledac series of malware viruses, suggesting that creators of Conficker may belong to the same crime gang behind Waledac.

What hasn’t changed is the way Conficker infects computers. It is still using the same Windows exploit before, one that Microsoft patched back in October, so as before, if you have applied the latest Windows updates and are running commercial anti-spyware software, you are fine.

Here in North America, only a very small percentage of computers were infected by the Conficker worm, most within large corporations. Symptoms of the Conficker worm include an inability to connect to security websites.

Joe Stewart has put together a clever Eye Chart of Conficker symptoms so you can decide if your computer has been infected. (If that link is down, you can also try here)

All of the major anti-spyware companies have Conficker removal tools, I suggest you visit the website of the company who’s anti-virus software you use (McAfee, Symantec, etc.)

For free Anti-Virus software I recommend AVG Free Edition.