MoD technicians spent more than four weeks isolating and cleaning computer systems across 30 sites after the Lovgate worm struck last year.
Lovgate spread rapidly when it first struck in February 2003. It reproduced by sending e-mails which masqueraded as a reply to the victim and by copying itself to shared network folders.
The worm left a back door on infected machines which could have been exploited by hackers.
The MoD believes the worm was introduced onto its systems by a single user who infected an MoD computer by inserting a floppy disc.
Had Lovgate not been a relatively benign virus, the impact of the infection could have been far more severe, the report revealed.
Last month, Lord Bach, government spokesman for defence, told the House of Lords that Lovgate had not damaged national security. "There has been no recorded degradation to UK military readiness; the systems affected by the Lovgate virus did not have a direct impact on operational networks," he said.
The MoD has suffered 71 virus and malicious code infections since it began keeping records in May 2002. They have included two MyDoom, one Sobig and five Netsky infections.
The Army has been hit 18 times, the Navy 14 times, the RAF 19 times, the MoD central operations four times and the Defence Procurement Agency three times. Two-thirds of the viruses spread across MoD networks, and one-third were isolated in standalone computer systems.
The time taken to remove the malicious programs from infected systems and restore normal operation ranged from a few hours to three days, Bach revealed. "The MoD system and network infrastructure is continually monitored, with defence in depth at key points to prevent cross-infection," he said.