[Dshield] Two Arrested in Zotob Worm Probe

jayjwa jayjwa at atr2.ath.cx
Sat Aug 27 13:54:46 GMT 2005

On Fri, 26 Aug 2005, Fergie (Paul Ferguson) wrote:

-> Two men have been arrested regarding the Zotob PnP worm case.

-> Moroccan authorities arrested "Diabl0", aka Farid Essebar and Turkey 
authorities arrested "Coder", aka Atilla Ekici. The suspects are aged 18 
and 21, respectively.

-> Both nicknames can be found from the code of Zotob.A: the worm 
connected to a irc server named "diabl0.turkcoders.net" and contained the 
words "Greetz to good friend Coder".

-> Diabl0 is most likely associated with some of the Mytob variants too.

Lesson #1: Never put your name in your worm/virus/irc-bot binary. F-Secure 
looks for subliminal messages there.

Lesson #2: Never have it connect back to your own server (if said server 
also contains your name, see #1, above).

(Before I get a dozen argry #3 "don't write worms" replies, to quote 
Foghorn Leghorn: "It's a joke, son.")


More information about the list mailing list