The main worm uses the motherboard, bios, kernel/firmware/drivers/ and works in layers and runs as soon as the machines are on. The original hacker used yahoo through the icmp to connect till i made it known. He has abanondoned the worm and gave info to kiddie hackers hoping to back out and get away. If you want to know if a connected ip is the hacker, all ya do is use whois.net and search the IP if the thread freezes up, its linked.
Source: https://threatpost.com/researcher-warns-twitter-security-flaw-012210/73416/