As I'm posting this, it's 00:18 on the 1st of April in Auckland, New Zealand.
But there aren't that many Conficker infections in New Zealand to begin with.
Infection situation in South Korea is more interesting; it's in the TOP 5 infected countries. And it's already 20:18 on the 31st in Seoul right now.
So, when exactly is Conficker activating?
It goes like this:
Conficker checks the local clock every 90 minutes (in some cases even more frequently)
The check is done with Windows GetLocalTime function
GetLocalTime gives the local time, based on the local time zone
Because of this, machines around the world are returning different times
Clock skew affects this as well
But not by much, as Windows machines will sync their local clock with time.windows.com once a week
Once the local clock says it's April 1st, Conficker will collect a date from the net
This means that machines in Australia will already be collecting a date from the net when machines in Hawaii aren't.
Conficker's net time collection uses several large websites to get the date. These are sites such as:
The HTTP header time on these sites is very accurate and very close to each other.
You can check these yourself: simply connect to port 80 of any website with netcat or telnet. In Windows, simply run "telnet google.com 80". Once connected, type (blindly) "GET /" and hit enter a couple of times. You'll get a screenful of results, including a "Date:" field.
Here's some sample HTTP HEAD returns from websites that Conficker uses to check the date. These were checked earlier this morning:
Google.com Date: Tue, 31 Mar 2009 06:27:42 GMT Client-Date: Tue, 31 Mar 2009 06:27:42 GMT Client-Peer: 126.96.36.199:80
www.baidu.com Date: Tue, 31 Mar 2009 06:31:47 GMT Expires: Tue, 31 Mar 2009 06:31:47 GMT Client-Date: Tue, 31 Mar 2009 06:31:48 GMT Client-Peer: 188.8.131.52:80
www.youtube.com Date: Tue, 31 Mar 2009 06:32:30 GMT Expires: Tue, 27 Apr 1971 19:44:06 EST Client-Date: Tue, 31 Mar 2009 06:32:31 GMT Client-Peer: 184.108.40.206:80
When the local clock says it's April 1st, Conficker will fetch the date values from the above sites and will use these values in an algorithm to generate 50,000 unique domain names. Do note that even if the date from the web sites says it's March 31st, Conficker would still activate if the local clock says it's April 1st.
The machines that are infected by Conficker.C and are turned on, will change modes between 00:00 and 01:30 on April 1st, based on machines own clock. The ones that are turned off, will change modes soon after they are booted up.