IBM says the Conficker worm could be on 4 percent of PCs, after it scanned 2 million computers in a 24-hour period to track the spread of the malware.
IBM's Internet Security Systems (ISS) division said that even though Conficker - also known as Downadup - is the internet's biggest worst worm outbreak in years, the results of its scan still came as a shock.
"It is higher than what we expected; I thought we'd see 1 to 2 percent," said Holly Stewart, ISS threat response manager.
Earlier this week internet infrastructure provider OpenDNS said 500,000 of its users had been infected with the latest variant of Conficker, and estimates of the worm's reach have previously stretched to 10m PCs. IBM's tests suggest Conficker may be installed on tens of millions of PCs worldwide.
"It's not a perfect number, nothing is. But it's the best that we can give with the data we have right now," said Stewart.
Conficker first emerged as a serious threat in October 2008. Once it infects a machine, it can spread very quickly on a local area network by taking advantage of a now-patched flaw in Microsoft Windows.