On the evening of November 2, 1988, a program began moving through the early Internet on its own. The appellate court record in United States v. Morris describes how Robert Tappan Morris, then a first-year graduate student at Cornell, “released into INTERNET, a national computer network, a computer program known as a ‘worm’” that “spread and multiplied, eventually causing computers at various educational institutions and military sites to ‘crash’ or cease functioning.”
The worm exploited flaws in widely deployed BSD-derived UNIX software. Morris designed it to spread quietly, but a flaw in its own logic made it re-infect machines far faster than he expected, so heavily loaded systems ground to a halt. The court record notes the worm did not destroy files; the damage came from the load it placed on the network as it copied itself again and again.
The incident drove an immediate institutional response. The Software Engineering Institute at Carnegie Mellon, in its 1988 advisories archive, documents the vulnerabilities being exploited in network services such as sendmail and the warnings issued in the days that followed - work tied to the founding of the first Computer Emergency Response Team (CERT).
Morris was convicted under the Computer Fraud and Abuse Act of 1986, 18 U.S.C. Section 1030(a)(5)(A); the Second Circuit affirmed in 1991, holding the government need only prove he intentionally accessed computers without authorization, not that he intended the resulting damage. It was the first felony conviction under that statute, and the worm became the canonical example of how a small mistake in self-replicating code can cascade across a whole network.