[Dshield] Two Arrested in Zotob Worm Probe
jayjwa at atr2.ath.cx
Sat Aug 27 13:54:46 GMT 2005
On Fri, 26 Aug 2005, Fergie (Paul Ferguson) wrote:
-> Two men have been arrested regarding the Zotob PnP worm case.
-> Moroccan authorities arrested "Diabl0", aka Farid Essebar and Turkey
authorities arrested "Coder", aka Atilla Ekici. The suspects are aged 18
and 21, respectively.
-> Both nicknames can be found from the code of Zotob.A: the worm
connected to a irc server named "diabl0.turkcoders.net" and contained the
words "Greetz to good friend Coder".
-> Diabl0 is most likely associated with some of the Mytob variants too.
Lesson #1: Never put your name in your worm/virus/irc-bot binary. F-Secure
looks for subliminal messages there.
Lesson #2: Never have it connect back to your own server (if said server
also contains your name, see #1, above).
(Before I get a dozen argry #3 "don't write worms" replies, to quote
Foghorn Leghorn: "It's a joke, son.")
More information about the list