Update: Most Destructive Malware of All Time

All malware is inherently dangerous, but there are a few threats that stand out amongst the others when it comes to inflicting damage. We took a look at some of the most destructive malware of all time from traditional viruses, worms and Trojans to increasingly prevalent PUAs such as adware and spyware. This list, while covering most of the all-time worst threats, is not all- inclusive. For example, notable threats are not on this list such as the ILOVEYOU bug, although they also rank as highly destructive. How many of these threats do you remember?

1. CIH Virus - 1998

The CIH virus, also known as the "Chernobyl virus", was named after the explosion of the nuclear plant in Russia because it was written to execute on the anniversary of the explosion. The virus worked by wiping data from the hard drives of infected devices and overwriting the BIOS chip within the computer, which rendered the device unusable. BIOS chips, originally manufactured by IBM for PCs, are a type of firmware used when a device is booted or turned on. This virus caused tremendous damage because the BIOS chip was not removable on many PCs, requiring the user to replace the entire motherboard. The virus was created by a student at the Taipei Tatung Institute of Technology, named Chen Ing Hau. Although the virus caused millions of dollars in damages, Chen was never imprisoned or fined and actually got a job at a software company through his resulting infamous creation.

2. Melissa Worm - 1999

The Melissa worm was a macro virus that caused millions of dollars in damages to infected PCs. The virus spread via email and was supposedly created by David L. Smith, who named the virus after an exotic dancer from Florida. The virus used an enticing subject line to get its victims to open it. Once the email was opened, the virus was able to replicate and send to an additional 50 email addresses accessed through the originally infected computer.

3. Code Red Worm - 2001

Code Red was a computer worm that affected almost 360,000 computers by targeting PCs that were running Microsoft's IIS web server. The worm was first discovered by two eEye Digital Security employees and was named for the Code Red Mountain Dew they were drinking when they discovered it. The worm targeted a vulnerability in Microsoft's IIS web server using a type of security software vulnerability called a buffer overflow.

Spread of the Code Red worm from Caida

4. Slammer Worm - 2003

In January of 2003, the Slammer worm struck 75,000 users with a DoS attack. The worm targeted a vulnerability found in Microsoft SQL and spread rapidly. Denial-of-service attacks are used by malware writers to overload a companies' network with meaningless traffic, eventually causing the network to crash. Owen Maresh of Akamai is credited with being the first person to discover the destructive worm from Akamai's Network Operations Control Center. At its height, the Slammer Worm sent 55 million database requests across the globe and is said to have spread within just 15 minutes, surpassing the speed of the Code Red Worm from 2001.

5. SoBig.F Worm - 2003

The SoBig.F Worm was a piece of malware that appeared only a few weeks before the Slammer worm mentioned above. The SoBig.F worm entered a device via email, which if opened could search the infected computer for additional email addresses, then sending messages to those aliases. The worm caused $37.1 Billion in damages and is credited with bringing down freight and computer traffic in Washington D.C, as well as Air Canada. Email subject lines used to entice users included, "Your details, Thank you!, "Re: Details, Re", "Re: My details", as well as various others. The speed at which the worm spread is said to surpass that of the ILOVEYOU virus and Anna Kournikova worm, both of which also spread via email. The worm's creator still remains unknown.

6. My Doom Worm - 2004

The My Doom worm, known as one of the fastest spreading viruses in history, passes both the ILOVEYOU bug and SoBig worm in speed. It was transmitted via email and usually contained a variety of subject lines including, "Error", "Mail Delivery System", "Test" or "Mail Transaction Failed". Though its creator still remains unknown, some speculate that it originated in Russia. The worm was first discovered and named by an employee at McAfee for the line, "mydom" that appeared in its code.

7. Stuxnet Worm - 2010

The Stuxnet Worm entered devices through infected USB drives and thus had to be manually inserted into a device in order to spread. The dangerous thing about this particular virus is that internet connectivity was not needed for it to spread, making it particularly fatal for critical infrastructure plants. Once on a device, the worm would then run a check to see if the infected device had access to industrial control systems. If it did, the worm would then take control of plant centrifuges, causing them to eventually fail. The main victims of Stuxnet's payload were Iranian nuclear plants and a uranium enrichment plant. Although not verified, some believe that the United States and Israel were responsible for the creation of the worm, in order to hamper Iranian nuclear development.

Stuxnet Diagram from L-Dopa

8. Cryptolocker Trojan - 2013

The Cryptolocker Trojan is ransomware that encrypts its victims' hard drives and then demands a payment. When the ransom message appears on the victim's computer, they are given a time limit in which they must pay the ransom in order to unlock their files. The Trojan enters a user's system through an email, supposedly sent by a logistics company. Within the email, there is an attached zip file which contains a PDF that requires the user to enter a provided password to open. Once opened, the Trojan begins its attack on the victim's computer. By posing as a legit company, the ransomware uses social engineering to trick the user into performing the required actions.

Cryptolocker Screenshot from Bleeping Computer

9. ZeroAccess Botnet - 2013

Known as one of the largest botnets in history, ZeroAccess affected over 1.9 million computers, using them to earn revenue through bitcoin mining and click fraud. Botnets involve a group of computers, also known as zombies, that are controlled by malicious software and used to send SPAM emails or launch HTML attacks, the first of which was utilized by the ZeroAccess Botnet. These controls are orchestrated by the BotMaster or the command center of the botnet. The SPAM emails sent by the botnets often contain malware that is then used to infect more computers.

10. Superfish Adware - 2014

Superfish adware made its claim to fame through a class action lawsuit filed against Lenovo, the largest maker of PCs in the world. Superfish spyware came pre-installed on Lenovo machines without Lenovo customers being told of its existence. Superfish installed its own root certificate authority which allowed it to void SSL/TLS connections, creating an opening or "hole" for attackers. This exposed Lenovo users to potential cyber criminals while providing Superfish and Lenovo with a way to target unsuspecting users with tailored advertisements.

11. Locky Ransomware - 2016

2016 saw a massive increase in ransomware, and with that came Locky, a threat with a massive payload delivered via a phishing email. These emails contain a Javascript attachment with an executable that triggers the Locky ransomware attack once clicked on. Locky employed extremely strong RSA and AES encryption, encrypting files not just on the infected system but also unmapped network drives connected to the point of infection, deleting volume shadow snapshots. In other words, it anticipates remedial actions and is specifically designed to prevent you from restoring your files by deleting shadow copies.

12. WannaCry Ransomware - 2017

WannaCry, the most destructive ransomware variety of 2017 (so far), hit over 150 countries and over 100,000 organizations, including major corporations and various government agencies. This ransomware was initially introduced to systems via phishing emails and spread using a known Windows vulnerability.

Initial reports said that the United Kingdom National Health Service was infected by the ransomware, affecting up to 16 U.K. hospitals. Wanna Decryptor was a ransomware attack of unprecedented scale and sophistication. Unlike previous ransomware varieties, WannaCry uses a worm to infect other systems, spreading through an entire network. More attacks like this are expected to come in 2017.


1. ESET Reference
2. TCM Resource
3. PC Mag Reference
4. F-Secure Reference
5. WIRED Reference
6. CNN Reference
7. Naked Security Reference
8. IEEE Spectrum
9. Panda Security Reference
10. ZDNet Reference
11. CNET Reference
12. Fox News Reference

Sign up for Blog updates

Get information and insight from the leaders in advanced threat prevention.