Some viruses are merely pesky; others are downright nasty. The Witty Worm, which made its debut at approximately 8:45 p.m. PST March 19, 2004, falls into the latter category. Within a swift 45 minutes, the Witty Worm had corrupted the 12,000 computers in its entire target population worldwide. The worm earned its moniker from the phrase “(^.^) insert witty message here (^.^)” in its payload.

Why Witty Worm stands out in malware history

Twelve thousand might seem like a small number compared with, say, the Blaster Worm, which shut down government offices and might have contributed to the August 2003 blackout in the northeastern United States. However, the Witty Worm stands out in malware history for three reasons:

  • It was the first worm to target only machines running certain software — specifically, Internet Security System’s BlackICE and RealSecure. Only machines running certain versions of this software were targeted.
  • The worm appeared only 36 hours after a vulnerability in the ISS software products was publicized. Witty relied on a buffer overflow vulnerability in firewall software.
  • Witty featured a destructive payload. The worm would delete in 64KB chunks after sending out 20,000 copies of itself.

The destructive payload was ultimately Witty’s undoing. Eventually, an infected machine would crash, and once enough of the 12,000 target machines had shut down, Witty was pretty much put out of business. In 2005, researchers traced the virus’ origins to a single European computer.

Photo: wk1003mike / Shutterstock

Kate Johanns

Posted by Kate Johanns

Kate Johanns is a communications professional and freelance writer with more than 13 years of experience in publishing and marketing.

Leave a reply

Your email address will not be published. Required fields are marked *