Worm(Author) |
Release/Discovered Date |
Characteristics |
Damage |
Creeper(Bob Thomas) |
Early 1970's |
Infected DEC PDP-10 computers running the TENEX OS. It replicated copies of itself to remote systems via ARPANET and displayed a message "I'm the creeper, catch me if you can!" |
No damage. Was an experimental program. |
Morris(Robert Tappan Morris) |
2-Nov-88 |
Infected DEC VAX and SUN machines connected to the internet, running BSD UNIX OS. It targeted the buffer overflow flaw of operating systems. |
Over 10 million USD |
Happy99(Spanska) |
Mid Jan 1999 |
Infected Windows OS. When executed, modified Winsock and attached itself to all the mails sent by the user. |
No physical damage |
Melissa(David L. Smith) |
Mid March 1999 |
Was a MACRO in a word file that had password to 80 pornographic websites. When the MACRO was executed, it picked up the first 50 entries in the address book of the host and mailed a copy of itself. It clogged the mail servers. |
Estimated over 400 million USD |
ExploreZip(Author not known) |
6-Jun-99 |
Propagated as a zipped attachment in Microsoft Outlook and registered itself to Windows NT Registry. Re-executed itself upon system reboot and mailed itself to all the people in the Outlook's address book. Also deleted Microsoft Documents and C and C++ source files on the host. |
Not known. |
ILOVEYOU([alleged]Irene and Onel de Guzman, Reomel Lamores ) |
4-May-00 |
Propagated as a .VBS attachment in Outlook Mails and mailed itself to all the users on the users' mailing list. Changed the extensions of many files to .VBS and over wrote some others. Also was known to steal passwords and credit card information. |
5.5 to 10 billion USD |
SandMind(Author not known) |
8-May-01 |
Attacked Sun Solaris and Microsoft IIS servers. Defaced US Government and anti-China Websites. |
Not known. |
Sircam(Author not known) |
Jul-01 |
Propagated as an attachment in the mail and when file was opened, installed itself on to the host. It then scanned the drive for .xls and .doc files and randomly selected a file to email the people on the users' contacts list. It also scanned the shared network drives and copied itself to the shared drives. It them used Remote Procedure Calls to trigger the worm on the remote machine. |
No physical damage |
Code Red(Author not known) |
13-Jul-01 |
Affected IIS servers and defaced websites that it hacked. Scanned all the hosts in the vicinity of the hosts and propagated itself. It did not check if the next host had the IIS Server or not. Used buffer overflow to execute binary code. |
1.2 billion USD |
Code Red II(Author not known) |
4-Aug-01 |
Similar to Code Red, but infected the machines on the same subnet as the host |
Over 2 billion USD |
Nimda(Author not known) |
18-Sep-01 |
Had 4 different propagation vectors. Compromised websites, LAN, Emails and executables. Caused worldwide DoS attacks. |
8.75 billion USD |
Klez(Author not known) |
26-Oct-01 |
Exploited Microsoft IE's Trident Engine. Propagated as an attachment in mails and depended upon either buggy HTML engines or user action to execute. Once executed, would pick up a file randomly and mail it to the addresses on the users' mailing list. |
Not known. |
Slammer(Author not known) |
25-Jan-03 |
Exploited buffer overflow in Microsoft SQL Server. Slowed internet traffic worldwide. |
Over 1 billion USD |
Blaster(Jeffrey Lee Parson of B variant) |
12-Aug-03 |
Used Syn Flood attacks on windowsupdate.com causing DDoS |
Over 500 million USD |
Sobig(Author not known) |
19-Aug-03 |
Scaned 20 IP address in the vicinity of the host and sent unsolicited mails via UDP port 8998. Caused major clogging in the mail servers. |
Over 5.5 billion USD |
Sober(Author not known) |
24-Oct-03 |
Affected Windows Operating System. Initiated as an email from FBI mentioning that user has been caught downloading pirated software. The user was asked to fill out a questionnaire. When the user opened the attachment, the worm installed itself into many windows directories. It then disabled firewalls and antivirus on the host and disabled access to assistance websites. It used Users' contacts list to send identical mails to everyone in the contact list. It was also suspected of stealing personal information from the host machine. |
Not known. |
Mydoom(Author not known) |
26-Jan-04 |
Attacked Windows OS. Propagated as a "Sending Fail" mail and asked user to resend the mail by clicking on the attachment. Once the user did that, it installed a copy of the worm on the host and sent a copy of itself to the email address. Once installed, sends mail to different contacts in the users address book and also copied itself to shared folders of Peer-to-Peer networks. It also opened a backdoor on the compromised PC to allow access to the hacker at anytime. |
Over 22 billion USD |
Witty(Author not known) |
19-Mar-04 |
Disabled the antivirus and firewalls made by Internet Security Systems on the host. Propagated via UDP in batches of 20,000. Generated traffic of 9 giga bytes per second in some cases. Spread at the maximum speed of data communication the host can offer. |
Not known. |
Sasser(Sven Jaschan) |
30-Apr-04 |
The worm was reverse engineered from a Windows patch that was suppose to fix the LSASS component that represents buffer overrun. This vulnerability was supposed to allow remote execution of code on the host without the knowledge of the user. The worm attacked all the Systems that had not installed this update from windows. |
Over 14 billion USD |
Santy(Author not known) |
20-Dec-04 |
Santy was the first Web based worm that exploited vulnerability in the PHP scripting language. The PHP scripting language had a feature to provide a file on remote PC to be appended to the URL. When the website opens, the file would get executed. The worm used this vulnerability to propagate. |
Not known. |
Nyxem/Blackworm(Author not known) |
3-Feb-06 |
It was programmed to trigger on 3rd of every month, 30 minutes after startup. It was designed to replace all document files on the host with DATAERROR.txt. |
No known damage. |
Stration(Author not known) |
Sept, 2006 |
Propagated as a mail from mail server asking to install a security update. This itself was the worm. It opened connections to the servers already compromised by the hackers and used those servers to propagate faster. It also used the information from the contact list of the user on the host which it used to propagate via emails. |
Not known. |
Storm(Author not known) |
17-Jan-07 |
Propagated as news attachment in Europe and US. The user was asked to open the attachment to see the news. The virus then compromised the host and placed the host in to a botnet. The worm created a new network much similar to Peer-to-Peer networks. It used this network for propagation. |
Not known. |
Koobface(Author not known) |
31-Jul-08 |
Propagated as a message to the people on facebook. Once the user opens the message he/she is redirected to a website that is affiliated to facebook and asks the user to download the update on Adobe Flash. The downloaded file was the worm. Once installed, it directs the user to all malicious websites. |
Not known. |
Conficker(Author not known) |
Oct-08 |
Had a specially crafted Remote Procedure Call that forced a buffer overflow and executed a shell code on the host. It then installs a HTTP server on the host and downloads the worm in the form of DLL and attaches it to the windows processes. It also tries to hack shared drives and if the drive is password protected, it uses brute force to hack the password. This generates large amount of network traffic and also causes user account lockouts. |
1.2 million USD |