The global cost of the Code Red worm has topped $2.6 billion, according to Computer Economics.
An estimated $1.1 billion was spent cleaning infected servers and another $1.5 billion has been attributed to downtime and lost productivity.
Dubbed a "blended threat", because it is multifaceted in its operating methods and effects, Symantec Australia managing director John Donovan said Code Red's discovery was hampered because there was no outward indication of its presence on Microsoft's Internet Information Server (IIS).
"Infected servers did not crash and blended threats need a much more comprehensive security solution to provide multiple layers of defence," he said.
Code Red is able to launch a Denial of Service (DoS) at a designated IP address, deface Web servers and, with Code Red II, leave a Trojan horse behind for later execution.
"The nature of the initial Code Red attack, processing on memory rather than on a hard disk, allowed it to evade detection by most antivirus products," Donovan said.
Typically, viruses require some human intervention in order to spread such as sending an infected file to another user. However, blended threats are automated like a worm continuing to spread without human intervention.
Donovan said blended threats exploit known vulnerabilities such as buffer overflows and many systems are not up to date with the latest patches.
Nimda is another example of a blended threat and Donovan said simply visiting Web pages of compromised Web servers can infect users.
"It could also propogate via e-mail and attack hard disks of systems that had enabled file-sharing over the network. From a coverage perspective Nimda demonstrated a follow-the-sun pattern, appearing first in the US then migrating to Asia and Europe," he said.
"Implementing best practices in a consistent, on-going manner is the best defence against infection to minimise harm. This includes removing unneeded services, keeping patches up to date and enforcing strong passwords."
Donovan said strong passwords should be at least eight characters in length, should include alphabetical, numerical and special characters and should be changed regularly.
He said IT shops should combine a defensive barrier that includes antivirus, content filtering, firewall, vulnerability management and intrusion detection.