The Conficker virus, which has infected millions of computers around the world, is finally activating itself in a bid to become a money-making machine for cybercriminals.

Infected machines have started to update themselves and download a fake anti-virus program aimed at tricking users into paying out for useless security software, security researchers said.

The virus may also be destined to be used by its cybercriminal creators to send millions of spam emails and steal passwords from infected computers by creating a "botnet" of "zombie" machines.

Ivan Macalintal, a Trend Micro advanced threats researcher, said Conficker began showing activity on Tuesday, nearly a week after the expected April 1 activation date that had computer security experts on alert around the world.

Infected machines were contacting each other to download new malicious software, he said.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update," Macalintal wrote in a post on the TrendLabs Malware blog. "The Conficker/Downad P2P communications is now running in full swing!"

Other researchers at Kaspersky Labs found that Conficker was downloading a fake $49.95 security scanner called Spyware Protect 2009, which may mean millions of Conficker-infected machines will start getting pop-up messages advertising the product.

The latest version of Conficker is also downloading another, separate worm called Waledac onto the infected systems. Waledac is a known botnet linked to data theft and email spam campaigns.

Paul Ferguson at internet security company Trend Micro noted: "Having followed the activities of Eastern European online cyber crime for several years, there is one thing we are certain about — these criminals are motivated by one thing: money.

"How was Downad/Conficker helping them meet their goals? It wasn’t. A very large botnet of compromised computers doesn’t make money if it justs 'sits there' doing nothing. So now we see that the Downad/Conficker botnet has awakened, and perhaps their desire to monetising their efforts is becoming more clear."

Waledac usually spreads via a malicious web link or an e-mail, typically a fake greeting card. Once it infects a numer of machines they can be remotedly controlled to send scam emails advertising medical products or phishing messages.

The Conficker virus started spreading late last year. At first it was a relatively simple worm but its creators issued updates turning it into a more sophisticated and resilient virus that has found new ways to spread. It has also gained the ability to shut down a computer's defences

Conficker infects machines by exploiting a weakness in Windows, the software that runs on most computers. At its peak it had compromised about 12 million PCs, although that may have fallen to about two million thanks to new security measures.

Once the worm is on a computer, that PC becomes part of a “botnet” – a network of computers that can be controlled by the virus's creator.

In the past year the virus has spread to computers in schools, hospitals and government departments. It has got into the defence forces of Britain, Germany and France, grounding the French Navy's fighter jets for a time.

A task force assembled by Microsoft has been working to stamp out the worm and the company has placed a bounty of $250,000 on the heads of those responsible for the threat.

The worm, a self-replicating program, takes advantage of networks or computers that have not kept up to date with Windows security patches. Microsoft has modified its free Malicious Software Removal Tool to detect and get rid of Conficker.

Among the ways one can tell if their machine is infected is that the worm will block efforts to connect with websites of security firms such as Trend Micro or Symantec where there are online tools for removing the virus.