Security vendor MessageLabs, which calls the variant W32/Yaha.K, said the rate of spread has been declining steadily since Monday (30 December) when the company intercepted more than 8,000 copies of the virus.
By Wednesday that figure had declined to 6,500 and it stood at just over 2,000 on Thursday afternoon in Europe.
Altogether MessageLabs had detected more than 34,000 copies of the virus.
The virus originated in Kuwait and has hit 100 countries including the Netherlands, UK, Canada, Egypt, United Arab Emirates, Saudi Arabia and Australia.
Symantec, which is calling the worm [email protected], rates the virus threat assessment as low, the damage assessment as medium and the distribution of Yaha as high, according to information on its Web site.
McAfee.com and parent company Network Associates rated W32/Yaha.k as "medium risk" to both home and corporate users.
Helsinki's F-Secure gave the Yaha.K virus a level two alert on its scale of three levels, meaning the virus was causing widespread infection. It said the virus carries aliases including Yaha.M, W32/[email protected], I-Worm.Lentin.h and Yaha.K!e2a2.
The worm affects mainly systems running Microsoft's Windows operating system and appears as an e-mail attachment in the form of a .exe or .scr file.
Infected emails carry a wide variety of subject headings and messages. The virus contains its own e-mail client to mail itself out, forging the "from" address. It attempts to close down a number of firewalls and antivirus programs, according to MessageLabs.