The security firm Symantec said Stuxnet, which until now was thought to have been developed in 2009, is older than previously reported.
An analysis of the code used in the malware reveals it "was in operation between 2007 and 2009 with indications that it, or even earlier variants of it, were in operation as early as 2005," a Symantec blog post said.
Stuxnet was designed to attack computer control systems made by German industrial giant Siemens and commonly used to manage water supplies, oil rigs, power plants and other critical infrastructure.
Most Stuxnet infections have been discovered in Iran, giving rise to speculation it was intended to sabotage nuclear facilities there.
Some reports say US and Israeli intelligence services collaborated to develop the computer worm to sabotage Iran's efforts to make a nuclear bomb.
Symantec called Stuxnet "one of the most sophisticated pieces of malware ever written," and said "a small number of dormant infections" have been found over the past year. Nearly half were in Iran, but other infections were located in the United States and other countries.
Kaspersky, a Russian computer security firm, said last year Stuxnet was related to another computer virus dubbed Flame, which could have been created in 2007 or 2008.