"Today seems better than the day before, and we think that growth of Downadup has been curbed," Sean Sullivan, a technical specialist with anti-virus firm F-Secure, said Friday on the company's blog.
Despite the slowdown, more than 10 million machines remain infected with the rampant malware, about one percent of which are located in the United States, F-Secure said. The outbreak is the biggest within corporations since Nimda in 2001.
Right now, the worm appears to be assembling a huge botnet as it sits quietly on compromised machines, only disabling access to Windows Server Update Services (WSUS) or to websites used to receive new anti-virus signatures, said Tom Cross, an X-Force team researcher at IBM ISS.
"The fear is that a new update will be pushed out [from the botmaster] with some additional capabilities," Cross said. "It could launch a denial-of-service attack. It could steal people's credit card numbers. It could destroy machines that are infected...Or maybe it won't do anything at all."
The worm became particularly potent earlier this month when a new variant began spreading by copying itself to removable media devices or to network shares by guessing weak passwords, according to Microsoft. Both propagation methods cannot be stopped by applying a patch from Microsoft, which only deters the spread of the worm through remote code execution.
"The thing that we are trying to get out there is that there's been a lot of focus on the Microsoft vulnerability, and we don't think this is the primary way it spreads," Cross said.
Sullivan said that as the infections slow, concern turns to effective removal. Anti-virus vendors offer solutions. Microsoft also has made disinfection possible through the most recent update of its Software Removal Tool.