On its blog, security group the RSA FraudAction Research Lab said the Sinowal Trojan - also known as Torpig and Mebroot - was first detected in February 2006.
It has since stolen the login details of around 300,000 online accounts and another 300,000 debit and credit card numbers. Customers from the US, France, Germany, the UK, Australia, China, Malaysia and others are thought to have been affected by the virus, although no accounts in its suspected country of origin - Russia - have been breached.
RSA said a single crime gang is thought to be behind Sinowal. The virus works by "injecting" legitimate-looking requests for personal information into internet browsers. Over 2,700 URLs currently trigger an attack and the creators of Sinowal keep releasing new variants to ensure it maintains an "uninterrupted grip" on infected computers.
Sean Brady of RSA said: "The group behind it have made sure to invest in the infrastructure no doubt because the return and the potential return is so great."