Between the two it is Code Red but I think the current winner is either Sobig.xxx or Blaster (and all it's renditions). I know my customer is still dealing with several infections of Blaster-like infections world-wide and they can't possibly be alone in this.

It seems that most "destructive" and wide-spread are almost synonymous today. Early on, Jerusalem was not very "destructive" (by today's standards) and wasn't very wide-spread either since it required a floppy to spread from system to system - aaaaaah good ol' sneaker net daze...

Robert Morris' exercise wasn't very wide-spread either but it managed to take out nearly 30% of the internet (as it stood in 1988) and THAT was a real bastard!

Point is, not to reminisce but to say that something doesn't have to be wide-spread to be "destructive" but lately that seems to be the trend. The writers are getting better at exploiting zero-day vulnerabilities and putting them into hybrid attacks (mail, web, server-side exploits, well-known services, etc...)