The worm that’s infected millions of Windows PCs is a “very well-engineered” piece of malware. But researchers still have no clear idea what the hackers plan to do with the collection of computers they’ve compromised with “Downadup.”

Downadup, also called “Conficker,” has infected an estimated 6% of PCs worldwide . The worm spreads by exploiting a four-month-old vulnerability in Windows, by brute-force password attacks and by hitchhiking on USB devices like flash drives.

And effective. Most researchers, including those at Symantec, have said the worm is the most invasive seen in the last six years.

The faster hackers can come up with an exploit and put it on the street, the better luck they usually have, for fewer users patch their machines in the first days or weeks after a vulnerability is fixed.

Although some researchers now say that Downadup seems to have peaked — F-Secure Corp. Friday noted that its “growth…has been curbed” — researchers remained worried about the next step in the attack.

Most malware infects PCs so that hackers can then use the collected machines, dubbed a “botnet,” to send spam, attack Web sites or compromise more computers. To do that, the original attack code directs the now-controlled PC, a “bot” in security parlance, to download additional software.

But Downadup has yet to trigger such second-stage downloads.

Calling the scope of the attack “amazing,” security researchers at F-Secure Corp. Friday said that 6.5 million Windows PCs have been infected by the “Downadup” (or “Conficker”) worm in the last four days, and that nearly nine million have been compromised in just over two weeks.

Early Friday, the Finnish firm revised its estimate of the number of computers that had fallen victim to the worm, and explained how it came to the figure. “The number of Downadup infections [is] skyrocketing,” Toni Koivunen, an F-Secure researcher, said in an entry to the company’s Security Lab blog . “From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That’s just amazing.”

Downadup — which also goes by the name “Conficker” — exploits a bug in the Windows Server service used by Windows 2000 , XP, Vista , Server 2003 and Server 2008. Although Microsoft fixed the flaw with one of its rare “out of cycle” updates in late October, about a third of all PCs have not yet been patched, according to Qualys Inc., another security company. Those PCs are the ones being hijacked by the worm.

Once it’s gotten onto a PC, Downadup generates a list of possible domains, selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. F-Secure, however, has registered some of those domains, and has been able to monitor traffic through those URLs.

By examining logs of connection attempts to the domains, F-Secure discovered several hundred thousand different IP addresses — over 350,000 as of today — as well as a counter embedded in each that spells out the number of additional PCs that the infected machine has compromised.

You can find a solution to this Virus here