The first day of April 2009 is when security analysts around the world will watch to see what happens to thousands of computers because of the Conficker worm, a family of malware that is now widespread and affecting 10 million computers.

Conficker, also known as Downadup, is spread in three ways, including via exploit, weak passwords, and the use of autorun.inf files which are copied to USB drives.

Cat and Mouse

Graham Cluley, a security analyst with Sophos, said it's not possible for analysts to figure out what the payload could be because it's not yet present in the Conficker code.

"Some people have got rather confused as to what the April 1st deadline really means," Cluley said in an official blog post. "The truth is that Conficker is not set to activate a specific payload on April 1st. Rather, on April 1st Conficker will begin to attempt to contact the 50,000-a-day potential call-home Web servers from which it may receive updates."

Beyond that, Cluley said there's no guarantee the download will even occur on the first day of April. It all depends on when the authors of the malicious code choose to register a domain out of the 50,000 listed each day.

Jart Armin, a security expert with HostExploit, agrees. "The April 1st date would appear to be speculation; in the four or so worm variations seen so far, all have had various 'call home for an update' dates, times and varying locations," Armin said. "Conficker remains a dangerous threat, but its masters are obviously playing a cat-and-mouse game with the community, constantly matching any publicized anti-measures, and it's normal business as usual for malware in general."

Armin warned that the authors of the code may be using April Fools' Day to distract people while they commit other attacks. "It is important to remember, when observing illusionists as in this case, to also watch what the other hand is being used for," he said.

Bounty Still Out

While the Conficker masters iron out details, businesses are planning countermeasures to fight the virus.

In February, Microsoft announced a collaboration dubbed the Conficker Cabal with other industry leaders, including AOL, F-Secure, Arbor Networks, and VeriSign, to put together a coordinated response to the worm.

The software giant has been working with the Internet Corporation of Assigned Names and Numbers (ICANN) and operators of Domain Name Systems to find a way to disable the domains targeted by Conficker. Microsoft has also posted a $250,000 bounty for information that results in the arrest and conviction of those responsible for launching the malicious code.