Morris worm: November 1988

Spread by buffer overflows in fingerd, sendmail,
rexecd.

Uses local host tables (hosts.equiv, .rhosts) to learn about more targets.

Also guessed passwords based on /etc/passwd

60,000 Internet hosts at this time.