Security researchers are reporting that a worm has infected 3.5 million Windows computers in the past four days.

The worm, known as 'Conficker', 'Downadup' or 'Kido', exploits a vulnerability that Microsoft patched in October 2008. The malware sets up an HTTP server and resets a machine's System Restore point to stop administrators deleting it.

"The number of Downadup infections are skyrocketing based on our calculations," said security firm F-Secure in a blog posting.

"From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing."

The worm contains the usual Trojan package that allows the controller to download new files from their own server. But, in an unusual twist, the malware generates hundreds of seemingly random domain names to scan for updates, making it much harder to track the one used by the malware writer.

"Our advice is to block all incoming and outgoing traffic on port 445 from those computers to ensure that (a) they aren't hit with exploits from the internet and (b) if they somehow are exploited, they aren't able to infect the rest of the network via file shares," said Graham Cluley, senior technology consultant at Sophos.

"Furthermore, if you have a group policy in place to lock out accounts after too many unsuccessful log-in attempts, the worm will probably cause many of these accounts to become locked out during the worm's password cracking attempts.

"This can obviously be annoying but, at the same time, it is a good indicator that you may have an infected computer on the network."

Servers in the US and Europe have had the fewest infections owing to regular updating by IT administrators. China, Brazil and Russia have been hit hardest, according to F-Secure.