The Witty worm, which infected more than 12,000 servers a year ago, came from a single computer in Europe and used a U.S. military base's vulnerable systems to kick-start the epidemic, according to an analysis released by three researchers this week.

The researchers combined records from the initial spread of the Witty worm along with an analysis of the random number generator used by the program to pick its targets and discovered that the worm almost certainly spread initially from a computer owned by a customer of a European Internet Service Provider. The analysis also found that about 10 percent of the Internet's addresses would not have been generated, thus infected, by the Witty worm and that 110 computers at a U.S. military base were likely among a "hit list" of systems that were targeted explicitly by the worm.

"We hope that the principle of exploiting a worm's structure will be more broadly applicable to forensics of future worms," said Vern Paxson, senior researcher with International Computer Science Institute at the University of California at Berkeley and one of the three researchers who co-authored the analysis of the Witty worm.

Paxson, along with another researcher at ICSI and a computer science graduate student at the Georgia Institute of Technology, published the results in a paper this week, including new details of the worm's spread.

The link for this article located at SecurityFocus is no longer available.