Security vendor F-Secure put the infected machine estimate bluntly, posting in a blog that there are:
"2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher."
That same post goes into some detail about how the worm worksw; further details are here, at F-Secure's Downadump/Confickr page.
While it's early days yet to see what form a potential botnet formed from the infect machines take, we all know all too well how quickly early days can become "too late!"
And in some ways this one is already too late -- the worm takes advantage of unpatched machines from last October's critical Microsoft patch for most versions of Windows, Vista and Windows Server.
Probably there won't be a better example this year of just how poorly the world's PC users act on patching vulnerabilities, even critical ones, than this.
But don't bet on it. The year's still young.
And so, alas, is the wannabe botnet.