The Spread of the Witty Worm

The witty worm caused problems that required hard drive data recovery as it wiped out large portions of the hard drive in infected computers. The witty worm first appeared in 2004 on March 19 when it struck computers that were part of the Internet Security Systems, or ISS. This included a number of networks and computers on the RealSecure system. The worm found a flaw in the firewall of the computer and entered that way. The worm was known as a destructive payload and was the first of its kind. The worm deleted a large section of the computer’s hard drive, once it landed in the system, necessitating a hard drive recovery. The worm’s name came from the fact that it included the phrase “insert witty message here”. The worm was also unique in that it was highly organized and began relatively quickly after the security flaw was discovered.


The network telescope refers to an amount of address space that’s announced on a global scale. The network telescope receives a small number of information packets sent to the address in question. With the witty worm, for every 256 packets of information sent by the worm, one was received. The ISS vulnerability was announced on March 8 of 2004. A program known as eEye uncovered a problem relating to the overflow of information in the buffer zone. ISS alerted users to this vulnerability as soon as possible. Witty worm details include the fact that it caused the host to send 20,000 packets to random computers and IP addresses. It then latched itself to the hard drive and erased information before returning to send more information. It continued this cycle until the computer crashed.

Spread of the Witty Worm

The witty worm spread much faster and easier than previous worms did. It infected its first computer on March 9, and spread to over 200 hosts within the first minute. It continued to spread rapidly for the first 45 minutes, sending 11 million packets of information every second. It hit at least 12,000 computers during its duration and was the first to move quickly within a small population. It spread faster than the programmers could match, leaving many feeling defenseless and unsure of how to proceed. A patch was implemented as soon as possible, and many of the hosts were left inactive by the end.

Witty Worm Victims

The victims of the witty worm were those with firewalls installed on their computers. These individuals hoped to prevent bugs, and the worm took advantage of that fact. Not long after they announced the security problem, the worm was released. Those with a fast internet connection saw the worm spreading more rapidly because it depended on the connection speed to replicate. Once it infected the firewall, it looked for information on the security of the machines and adapted itself to work around the security measures installed on the computers. The United States was hit more than other countries because it had the highest number of ISS users.

Resources on the witty worm include:

Outwitting the Witty Worm: a look at how the worm was stopped from a technological stand point.
eEye: notes the actual report detailing the security vulnerability.
The Spread of the Witty Worm: focuses on how the worm came about and spread.
“Witty” Worm Wrecks Computers: discusses the work of eEye in stopping the worm.
W32 Witty Worm: focuses on the current state of the worm.
A New Chapter in Malware: a history of the worm.
C-Net: provides information on how the worm was stopped with patches.
Witty Worm Traced to Patient Zero: discusses the first computer infected with the worm.
Witty Worm Propagation Modeling: focuses on how the virus spread.
Witty Worm Traced to Europe: discusses the computer responsible for passing along the witty worm.


The witty worm was the first worm that caused damage to computers after infecting them while still sending itself on to other computers. It was also the first to damage a large number of computers at one time. It showed that a single individual had the ability to spread a computer virus and affect many different users at the same time. It also showed that computer viruses were capable of using a single vulnerability to cause problems, and that the future of computer worms was a serious idea worth studying.