A new digital plague has hit the Internet, infecting millions of personal and business computers in what seems to be the first step of a multistage attack. The world’s leading computer security experts do not yet know who programmed the infection, or what the next stage will be.

In recent weeks a worm, a malicious software program, has swept through corporate, educational and public computer networks around the world. Known as Conficker or Downadup, it is spread by a recently discovered Microsoft Windows vulnerability, by guessing network passwords and by hand-carried consumer gadgets like USB keys.

Experts say it is the worst infection since the Slammer worm exploded through the Internet in January 2003, and it may have infected as many as 9 million personal computers around the world.

Worms like Conficker not only ricochet around the Internet at lightning speed, they harness infected computers into unified systems called botnets, which can then accept programming instructions from their clandestine masters. “If you’re looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon,” said Rick Wesson, the chief executive of Support Intelligence, a computer security consulting firm based in San Francisco.

Microsoft rushed an emergency patch to defend the Windows operating systems against this vulnerability in October, yet the worm has continued to spread at a steady rate even as the level of warnings has grown in recent weeks.

Earlier this week, security researchers at Qualys, a Silicon Valley security firm, estimated that about 30 percent of Windows-based computers attached to the Internet remain vulnerable to infection because they have not been updated with the patch, despite the fact that it was made available in October. The firm’s estimate is based on a survey of 9 million Internet addresses.

Security researchers said that the success of Conficker is due in part to lax security practices by both companies and individuals, who frequently do not immediately install updates.

A Microsoft executive defended the company’s security update service, stating there is no single solution to the malware problem. “I do believe the updating strategy is working,” said George Stathakopoulos, general manager for Microsoft’s Security Engineering and Communications group. But he added that organizations must focus on everything from timely updates to password security. “It’s all about defense in depth,” he said.

Alfred Huger, vice president of development at Symantec’s security response division, said, “This is a really well-written worm.” He said that security companies were still racing to try to unlock all of its secrets. Unraveling the program has been particularly challenging because it comes with encryption mechanisms that hide its internal workings from those seeking to disable it.

Most security firms have updated their programs to detect and eradicate the software and a range of companies offer specialized software programs for detecting and removing it.

Several computer security firms said that although Conficker appears to have been written from scratch, it has some parallels to the earlier work of a suspected Eastern European criminal gang that has profited by sending programs known as “scareware” to personal computers that seem to warn users of an infection and ask for credit card numbers to pay for bogus antivirus software that actually further infects their computer.