The Rise and Reign of Computer Worms: Inside the Battle for Control

Everyone’s heard of Stuxnet, the world’s most famous worm. And Conficker, the largest worm outbreak since SQL Slammer, infecting millions of devices across 190 countries. But long before Stuxnet and Conficker, there was the Morris worm. Its core capabilities - like self-replication and network scanning - became the blueprint for all future worms, including Stuxnet and Conficker. 

And shockingly, it wasn’t a black hat cabal that launched the world’s first worm, but a quiet, young prodigy more fluent in code than small talk.  

In 1988, fresh out of Harvard and deep into his first year of grad school at Cornell, Robert Tappan Morris Jr. created a worm largely out of intellectual curiosity. His goal? To test how far and fast his worm could spread across ARPANET (a network of academic and military institutions and the precursor of our modern Internet).  

But here’s the million-dollar question: How did the son of an NSA cryptography expert become the architect of chaos? Stay tuned, as we explore computer worms and the defenses you need to stay safe. 

What is a computer worm and how does it work? 

In a nutshell, a computer worm is self-replicating malware that doesn’t need a host file to spread.  

The Morris worm was the very first worm to exploit OS vulnerabilities to infect a large network. Robert Tappan Morris unleashed his creation not from Cornell but from MIT (to cover his tracks) on the evening of November 2, 1988. The worm managed to bring down 6,000 of the 60,000 UNIX-based computers connected to ARPANET. 

Unsurprisingly, Morris used a known method to infiltrate UNIX machines, which was exploiting vulnerable applications like: 

fingerd

• Role: a UNIX utility used to look up and display information about users logged into a computer network 

• Exploit: Morris sent specially crafted requests to overflow the memory buffer and execute arbitrary code, allowing the worm to gain unauthorized access. 

sendmail

• Role: a mail transfer agent (MTA) that routes and delivers email on UNIX and LINUX systems 

• Exploit: Morris sent specially crafted SMTP (simple mail transfer protocol) requests to activate debug mode, which let him execute shell commands remotely. This enabled the worm to install itself on target machines, effectively granting it elevated privileges. 

rexec

• Role: a UNIX utility for executing commands on remote systems 

• Exploit: Morris exploited rexec’s reliance on password-only authentication. He programmed the worm to gain access by brute forcing passwords. Each time the worm succeeded, it used rexec to run commands and install itself. 

While the Morris worm didn’t destroy or damage any files on ARPANET, it slowed critical functions like email services for days. This was due to an error when Morris programmed the worm. Originally, the worm was supposed to spread slowly from machine to machine, hiding in the background to evade attention. 

But after Morris made a mistake in the number chosen for replication, the worm multiplied uncontrollably, creating dozens or hundreds of copies on each machine it entered. This led to system overloads and thus, service disruptions at institutions like Harvard, NASA, the Lawrence Livermore National Laboratory, and Stanford. 

As for Morris, what was he thinking? His Harvard professors noted he was a UNIX genius, someone whose technical brilliance was a clear asset. And Morris didn’t have a vicious streak: had he wanted to, he could have brought down ARPANET altogether. 

At Cornell, an independent investigative commission concluded that, although there was “no direct evidence to suggest...Morris intended for the worm to replicate uncontrollably,” he still ignored the “obvious effect it would have on countless individuals who had to devote substantial time to cleaning up the effects of the worm, as well as...those whose research...was interrupted or delayed.” 

As for Morris, he was convicted of breaking the 1986 Computer Fraud and Abuse Act and sentenced to a fine, probation, and 400 hours of community service.  

His story, however, is a rare case of a cautionary tale turned into a transformative legacy. In 2019, Morris was elected to the National Academy of Engineering for his impact in advancing wireless technologies.  

And as of 2025, he’s a respected professor of computer science at MIT and co-founder of Y Combinator, which has funded over 5,000 startups including iconic companies like DoorDash, Reddit, Airbnb, Instacart, Dropbox, and Stripe. 

And the Morris worm? It will forever be known as the catalyst that shattered universal assumptions of safety. Its legacy is two-fold: the rise of Zero Trust and the birth of CERT (Computer Emergency Response Team), which enables cross-sector action during large-scale cyber-attacks. 

What is the most famous computer worm?  

In discussions on the subject, two names come to mind: ILOVEYOU and Stuxnet. 

But which is more famous depends on context. 

Let’s start with ILOVEYOU, a worm-virus hybrid and the first major example of how social engineering was weaponized on a massive scale.  

ILOVEYOU was created by yet another computer science student, Onel de Guzman, who hails from the Philippines. It leveraged simple but irresistible human emotions – curiosity and affection – to lower people’s defenses.  

The email’s subject line “ILOVEYOU” and the attachment “LOVE-LETTER-FOR-YOU.TXT.vbs” gave the impression that it was a love letter from someone known.  

This was enough motivation for users to open the attachment, a malicious VBScript file.  

Once the attachment was run, the worm overwrote important files (showing its virus characteristics) and automatically sent copies of itself to everyone in the victim’s Outlook address book (showing its worm characteristics).  

ILOVEYOU infected over 45 million computers in just 24 hours, caused up to $15 billion in damages, and disrupted operations across the military, U.S. Congress, and British Parliament. 

Stuxnet, on the other hand, is famous for different reasons. It was the first worm used as a cyber weapon to sabotage industrial equipment, specifically Iranian nuclear centrifuges at the Natanz facility. 

Stuxnet was designed to target Siemens S7 programmable logic controllers (PLC), which are widely used to manage power grids, oil pipelines, and nuclear facilities. Two versions of Stuxnet were deployed to sabotage the Natanz nuclear enrichment plant. The first targeted the valves on the centrifuges, while the second altered the speed at which the centrifuges were spinning.  

Throughout the operation, Stuxnet sent false feedback to Natanz monitoring systems to hide deepening malfunction from plant engineers. Ultimately, Stuxnet was said to have destroyed more than 1,000 centrifuges. 

In summary, ILOVEYOU is famous for being the first worm to leverage social engineering at scale for massive public disruption, while Stuxnet is famous for being the first worm used as a cyber weapon in geopolitical conflict. 

Are computer worms still around?  

Yes, computer worms still exist and continue to pose significant threats worldwide. Two of the most notorious worms in history, Conficker and WannaCry, caused serious disruption across borders. 

Conficker, emerging in 2008, infected as many as nine (9) million personal computers worldwide. Its initial entry point was a buffer overflow vulnerability in Windows, which allowed Conficker to gain remote code execution privileges on personal devices. 

Once in, the worm disabled security tools, blocked antimalware updates, and turned each infected device into part of its botnet army. And that’s not all: Each infected machine then generated hundreds of domain names daily, using a built-in algorithm.  

These domain names weren’t registered but were on “standby” as potential C2 (command & control) points. 

This was a massive nightmare for security teams. Here’s why: 

• The attackers only had to register a few of those domains each day to give “instructions” to millions of their botnet “soldiers” (infected devices). 

• Security teams had no way of knowing which domains would be used (and the list changed daily). 

To contain the worm and regain some control over its spread, the Conficker Working Group (CWG) was formed. It consisted of security researchers, law enforcement, antivirus vendors, ICANN, and domain registries. 

Efforts focused on preemptively registering domains (before the attackers did) and directing traffic from infected machines to safe servers (sinkholes). This effectively cut off communications with C2 servers and neutralized the ability of the botnet to grow.  

Meanwhile, the WannaCry cryptoworm infected over 200,000 computers across 150 countries, encrypting files and demanding ransom payments to unlock them. 

WannaCry crippled healthcare systems: About 40 NHS hospitals in the UK had to cancel appointments, postpone surgeries, and turn patients away, which directly endangered lives. In Spain, telecom and utility providers had to shut down operations.  

And in France, carmaker Renault’s production lines came to a standstill. Across the world, WannaCry halted delivery services, affecting daily life and commerce for millions.  

Legacy worms like Morris, WannaCry, and Conficker have paved the way for newer worms like Tangerine Turkey, Raspberry Robin, and P2PInfect, all of which leverage more advanced stealth and persistence techniques. 

And in 2024, researchers from Cornell Tech, Intuit, and the Israel Institute of Technology developed a never-before-seen AI-powered, self-replicating worm, which they christened “Morris II.”  

The worm can trick AI platforms into generating and executing malicious prompts without user interaction.  

The researchers hope Morris II serves as a wake-up call to the security community about the need for stronger protections around AI, especially to prevent data exfiltration.  

This is a valid concern, and I believe they would have been heartened by the discussions at this year’s ISC2 conference on Artificial Intelligence.  

There, several speakers emphasized the need for guardrails, for building AI systems that are trustworthy, fair, and secure, especially in critical areas that impact everyone’s health and privacy. During the Q&A sessions, many security professionals agreed that balancing safety with usability was non-negotiable. 

This heightened awareness of AI-powered threats has spurred new best practice frameworks and cross-industry collaboration, fostering collective determination and innovation.  

So, while computer worms are alive and more dangerous than ever, I’m optimistic this proactive stance will shape a more secure, resilient future as the threat landscape grows more complex. 

What are the signs my computer has a worm? 

Knowing how to detect a worm on your computer is important. If you see any of these signs, you may have a worm infection on your hands:  

• Missing or modified files 

• Programs launching automatically 

• Lagging system performance 

• Unexpected freezes or crashes 

• Unusual spike in network traffic 

• Massive file duplication filling up your hard drive quickly 

• Disabled security software 

• Unusual login attempts from unfamiliar locations 

• A flood of pop-ups you can’t easily shut down 

• Emails sent from your account without your knowledge 

What are the types of computer worms, and how do you get rid of a computer worm? 

Are computer worms easy to get rid of? The short answer: Not always. 

This type of self-replicating malware often resists removal due to its stealth and speed. To understand how to conquer this formidable enemy, it’s important to know what you’re up against. 

Below, we break down each worm type (with real-world examples) and the defenses you need to stay safe in 2025 and beyond. 

 

Worm type	Examples	How it spreads	How to protect
Network worms	Conficker, W32.Blaster (MSBlast)	-Spreads by exploiting vulnerabilities in OS & network services   -Conficker exploited a flaw in a Windows Server service and weak admin passwords to spread   -W32.Blaster exploited a buffer flow vulnerability in the Windows DCOM RPC service to spread; affected at least 166,000 computers worldwide; shut down the Federal Reserve Bank of Atlanta and the Maryland Motor Vehicle Administration	-Deploy network firewalls, intrusion detection systems (IDS)   -Use antivirus software   -Create strong, unique passwords with the LastPass generator and employ LastPass FIDO2 MFA to block unauthorized access. Get FIDO2 MFA with your free LastPass Business Max trial today.
Internet worms	Code Red, SQL Slammer (Sapphire)	-Exploits vulnerabilities in network protocols   -Code Red targeted Microsoft IIS web servers and spread by sending HTTP requests to vulnerable web servers; attacked 300,000 computers worldwide   -SQL Slammer exploited a buffer overflow in Microsoft SQL Server   -SQL Slammer infected 75,000 hosts in 10 minutes and could scan up to 55 million IP addresses per second to find other vulnerable hosts	-Keep OS, antivirus, and software updated   -Use NGFW firewalls with IPS (intrusion prevention system), deep packet inspection, & behavioral analysis capabilities to detect and block worm threats
File sharing worms	Kazaa Worm, LimeWire Worm	-Spreads through files shared via P2P networks like Kazaa and LimeWire	-Remove all P2P file-sharing software like LimeWire, Kazaa, uTorrent, and similar programs if not needed. P2P apps are common vectors for worms and malware.   -Avoid downloading from untrusted P2P sources   -Use reputable EDR (endpoint detection and response) to detect and quarantine worms   -Deploy LastPass SaaS Monitoring + LastPass Protect to set controls blocking P2P app downloads and P2P file sharing. Get LastPass SaaS Monitoring + SaaS Protect with your free trial of Business Max today.   -Enforce LastPass FIDO2 MFA for logins
Crypto worms	WannaCry, BadRabbit	-Encrypts files and demands a ransom   -WannaCry used the EternalBlue exploit to infect unpatched Windows systems   -BadRabbit used the EternalRomance remote code execution exploit to spread across networks	-Keep backup copies of important files   -Apply security patches promptly   -Use anti-ransomware tools   -Avoid opening suspicious attachments
Spyware or backdoor worms	Stuxnet, MyDoom	-Spreads through pirated apps, phishing emails, or removable media like USB drives   -Stuxnet spread through infected USB drives; famous for attacking the Natanz nuclear enrichment facility   -MyDoom spread through infected email attachments and P2P file shares; famous for being the most expensive worm outbreak in history	-Implement NGFW (next-generation firewalls), intrusion detection systems (IDS), and endpoint protection   -Keep up all software, app, and OS updates   -use high-performance anti-malware with behavioral analysis   -Disable AutoRun feature for USB sticks to prevent automatic execution of files when a drive is inserted   - Create strong, unique passwords with the LastPass generator and employ LastPass FIDO2 MFA to block unauthorized access that could enable backdoor infections. Get FIDO2 MFA with your free LastPass Business Max trial today.
IRC worms	IRC Spybot, IRC Sdbot, IRC Mytob	-Spreads via Internet Relay Chat (IRC) networks by causing an infected IRC client to send a copy of the worm’s executable file to every user who joins the channel	-Avoid opening unknown links in IRC chats   -Disable auto-execution of scripts as worms can spread through script execution   -Restrict automatic file transfers   -Keep antivirus and IRC client software updated   -Create strong, unique passwords for IRC connections with the LastPass generator and enable LastPass MFA
Email worms	ILOVEYOU, Melissa, Sobig	-Spreads by emailing itself to contacts via infected attachments or links   -ILOVEYOU spread through email with a malicious .vbs attachment; famous for being the first worm to leverage social engineering for wide service disruptions   -Melissa spread via Microsoft Word documents with malicious VBA macros; crippled email services at more than 300 corporations and government agencies worldwide; cost $80 million in clean-up and repair costs   -Sobig spread through email attachments; cost $30 billion in damages due to lost productivity, repair costs, and disruption of email services worldwide	-Avoid opening unexpected email attachments   -Use antivirus software with email filtering   -Keep OS, antivirus, and email clients updated   - Create strong, unique passwords with the LastPass generator and employ LastPass FIDO2 MFA to block unauthorized access. Get FIDO2 MFA with your free LastPass Business Max trial today.

FAQs: Computer worm 

What’s the difference between a worm and virus? 

A computer virus needs you to do something – like open a file or click a link – in order for it to spread. The initial access vectors or entry points are email attachments, USB drives, or compromised files.  

A worm, on the other hand, spreads all by itself and can move across networks by exploiting security flaws. Worms often cause more damage because they spread quickly.  

Is a trojan a virus or worm? 

A trojan is neither a virus nor a worm. It’s often disguised as legitimate software but secretly carries a malicious payload (the part of malware that causes harm).  

Once inside a system, it can install backdoors, steal data, or enable remote code execution, letting attackers run commands on your device without your knowledge. 

Is ransomware a virus or worm? 

Ransomware is neither a virus nor a worm. It's a separate kind of malware that locks your device and demands money to unlock it. While ransomware doesn’t behave like a virus or worm, it can use similar tactics to spread, like exploiting network flaws or phishing techniques.  

In 2025, the three (3) key entry points for ransomware are phishing emails (37%), exploited vulnerabilities (32%), and compromised credentials (23%).  

What was the worst computer worm in history? 

The worst computer worm ever was MyDoom. It hit back in 2004 but still holds the record for damage (around US $38.5 billion, with inflation-adjusted costs estimated at US $50 billion). MyDoom spread through spam emails and launched DDoS attacks against two major companies: SCO Group and Microsoft.  

It was estimated that up to 25% of emails sent in 2004 were infected with MyDoom. While newer worms exist, none have matched MyDoom’s scale.  

Can a mobile phone get a worm? 

Yes, mobile phones can absolutely get worms. In 2025, mobile devices are just as vulnerable as computers. Worms can enter your device through unofficial apps, phishing links, or unsecured Wi-Fi.  

Currently, Android’s open ecosystem puts it at greater risk, but iPhones aren’t immune either. Once infected, a worm can spread to other devices on the same network, making mobile security more critical than ever. 

 

Sources: 

https://www.nytimes.com/1988/11/05/us/author-of-computer-virus-is-son-of-nsa-expert-on-data-security.html

https://www.nytimes.com/1988/11/06/us/how-a-need-for-challenge-seduced-computer-expert.html

https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html

https://www.nytimes.com/2010/09/30/world/middleeast/30worm.html

https://www.nytimes.com/2019/06/29/opinion/sunday/conficker-worm-ukraine.html

https://www.nytimes.com/2009/01/23/technology/internet/23worm.html

https://www.fbi.gov/news/stories/morris-worm-30-years-since-first-major-attack-on-internet-110218

https://www.cs.umd.edu/class/fall2023/cmsc614/papers/morris-worm.pdf

https://news.mit.edu/2019/six-mit-researchers-elected-national-academy-engineering-0211

https://www.security.org/antivirus/worst-viruses/

https://www.security.org/antivirus/computer-worm/

https://whyy.org/segments/iloveyou-how-a-students-email-virus-exploited-human-nature/

https://www.pcmag.com/how-to/how-to-figure-out-if-your-phone-has-malware

https://news.sophos.com/en-us/2025/06/24/the-state-of-ransomware-2025/