UPDATE 1-Spain busts ring accused of infecting 13 mln PCs

* Attacks in 190 countries, incl 40 financial institutions

* Botnet stole credit card numbers, data

* Exploited flaw in Internet Explorer Web browser

* Spanish police to hold news conference on Wednesday (Adds details on suspects, background)

By Jim Finkle

BOSTON, March 2 (Reuters) - Spanish police have arrested three men accused of masterminding one of the biggest computer crimes to date -- infecting more than 13 million PCs with a virus that stole credit card numbers and other data.

The men were suspected of running the Mariposa botnet, named after the Spanish word for butterfly, Spain's Civil Guard said on Tuesday. A press conference to give more details is scheduled for Wednesday.

Mariposa had infected machines in 190 countries in homes, government agencies, schools, more than half of the world's 1,000 largest companies and at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring.

"It was so nasty, we thought 'We have to turn this off. We have to cut off the head,'" said Chris Davis, CEO of Defence Intelligence Inc, which discovered the virus last year.

The security firms -- Defence Intelligence Inc. of Canada and Panda Security S.L. of Spain -- did not say how much money the hackers had stolen from their victims before the ring was shut down on Dec. 23. Security experts said the cost of removing malicious program from 13 million machines could run into tens of millions of dollars.

Mariposa was programmed to secretly take control of infected machines, recruiting them as "slaves" in an army known as a "botnet." It would steal login credentials and record every key stroke on an infected computer and send the data to a "command and control center," where the ringleaders stored it.

"Basically they were going after anything that would make them money," Davis said.

Mariposa initially spread by exploiting a vulnerability in Microsoft Corp's (MSFT.O) Internet Explorer Web browser. It also contaminated machines by infecting USB memory sticks and by sending out tainted links using Microsoft's MSN instant messaging software, he said.

A Microsoft spokeswoman said the company did not immediately have any comment.

The suspected ringleader, nicknamed "Netkairo" and "hamlet1917," was arrested last month, as were two alleged partners, "Ostiator" and "Johnyloleante," according to Panda Security.

Panda Security Senior Research Advisor Pedro Bustamante said that one of the three was caught with 800,000 personal credentials when Spanish police arrested him.

In addition to collecting data, the three men rented out millions of enslaved machines to other hackers, according to Bustamante.

The Mariposa botnet is one of many such networks, the bulk of which are controlled by syndicates that authorities believe are based in eastern Europe, southeast Asia, China and Latin America. While authorities sometimes succeed in shutting them down, they rarely catch the criminals behind the networks.

"Mariposa's the biggest ever to be shut down, but this is only the tip of the iceberg. These things come up constantly," said Mark Rasch, former head of the U.S. Department of Justice computer crimes unit.

He said he suspects there were more than three people behind Mariposa, and that any ringleaders who were not arrested could soon put the network back online. (Reporting by Jim Finkle, additional reporting by Madrid newsroom. Editing by Robert MacMillan)