The world's top virus hunters are watching every move made by the attacker in control of a nasty new Internet worm referred to as "downadup" or "conficker."

What worries them is that the person or group controlling the worm could at any time direct the PCs to carry out criminal activities on an unprecedented scale. And there's not much anyone can do to stop them.

The attackers could use the infected PCs to steal data, spread spam or commit other cybercrimes.

"We have a lot of people looking at this, and with everybody watching it, hopefully they will be too scared to do anything," says Patrik Runald, security adviser at F-Secure. "That's really the only thing we can hope for."

In less than three weeks, the worm has spread to more than 1 million PCs around the globe, mostly inside companies, according to F-Secure and security firm SecureWorks. A globe-spanning worm of that magnitude has not been seen since 2004.

The worm takes advantage of a software security hole that exists on hundreds of millions of Windows PCs. Microsoft issued an emergency patch in October.

This worm first appeared on Jan. 7. It probes for and implants itself on unpatched Windows PCs. It then scans for, breaks into and infects all nearby computer servers. It also implants itself onto any portable device plugged into the PCs' USB inputs, such as a thumb drive storage stick, iPod or digital camera. When the corrupted device is plugged into another computer, that machine becomes infected — and begins searching for other PCs to infect.

SecureWorks researcher Don Jackson says the infections have been spreading in bursts inside corporate networks. "It's like time bombs going off," he says.

Experts advise corporations to disable a Windows feature called autorun to cut down infections from USB devices. Microsoft has a cleanup tool available.

But the worm blocks Internet traffic trying to get to Microsoft's tool. "This worm was written by people who know what they're doing," says Runald.

Security companies have teamed up to block some of the 250 Web addresses the infected PCs are instructed to contact for further orders. But the list of 250 addresses changes once a day.

Vincent Weafer, vice president of Symantec Security Response, says the attackers may have been too successful. "There's no way they want this much attention," he says, adding that he expects them to back off.