Some viruses are merely pesky; others are downright nasty. The Witty Worm, which made its debut at approximately 8:45 p.m. PST March 19, 2004, falls into the latter category. Within a swift 45 minutes, the Witty Worm had corrupted the 12,000 computers in its entire target population worldwide. The worm earned its moniker from the phrase “(^.^) insert witty message here (^.^)” in its payload.
Why Witty Worm stands out in malware history
Twelve thousand might seem like a small number compared with, say, the Blaster Worm, which shut down government offices and might have contributed to the August 2003 blackout in the northeastern United States. However, the Witty Worm stands out in malware history for three reasons:
- It was the first worm to target only machines running certain software — specifically, Internet Security System’s BlackICE and RealSecure. Only machines running certain versions of this software were targeted.
- The worm appeared only 36 hours after a vulnerability in the ISS software products was publicized. Witty relied on a buffer overflow vulnerability in firewall software.
- Witty featured a destructive payload. The worm would delete in 64KB chunks after sending out 20,000 copies of itself.
The destructive payload was ultimately Witty’s undoing. Eventually, an infected machine would crash, and once enough of the 12,000 target machines had shut down, Witty was pretty much put out of business. In 2005, researchers traced the virus’ origins to a single European computer.
Photo: wk1003mike / Shutterstock
