The scope of the Storm botnet, made up of zombie computers controlled remotely and used to blanket the world in spam, has been estimated to reach from 1 million to 50 million infected systems as of September.

But has it really?

Those numbers have reached epic and steadily growing proportions in the media, but they well may be off. SecureWorks thinks the Storm botnet may comprise between 250,000 to 1 million bots overall—"not a terrible threat," says Joe Stewart, senior security researcher for SecureWorks.

Microsoft's Malicious Software Removal Tool cleaned it off about 300,000 hosts recently—a number that would be far greater if the botnet were really running on a 50-million-botnet engine, Stewart says.

As for why the numbers have been pumped so high, it might be that some researchers are counting the total number of peers talking on the Overnet P2P protocol, he suggested. Using that figure wouldn't discriminate between systems compromised with Storm from normal peers talking to each other, however.

"Overnet is not just Storm; it's all these other clients. They could be counting the entire P2P network," he said.

For those who like to keep track of what worms or virus families are at the top of the risk list, Microsoft ran some numbers for me on the morning of Oct. 16 PST, based on MSRT telemetry from the October release. The current ranking:

Win32/Zlob
Win32/Renos
Win32/RJump
Win32/Rbot
Win32/Brontok
Win32/Jeefo
Win32/Hupigon
Win32/Virut
Win32/Banker

The Storm virus rate has dropped from No. 3 on the list to No. 10, right below all the worms listed above.

Here's why:

"Storm has dropped on the list because during the first month after the MSRT is updated to remove new malware variants, the MSRT will clean all the available machines that have been infected in the past by this malware. In subsequent months, the MSRT will clean up the machines that are re-infected as well as those that are running MSRT for the first time," a Microsoft spokesperson said in an e-mail.