Arrested Zotob worm suspect linked to over 20 other viruses, Sophos reports

August 30, 2005 Sophos Press Release

The Zotob and Mytob worms allow hackers to take remote control of infected computers. Image copyright (c) Sophos
The Zotob and Mytob worms allow hackers to take remote control of infected computers.

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have discovered that one of the men arrested last week in connection with the Zotob worm outbreak which exploited a Microsoft security hole, appears to be linked to over 20 other viruses.

18-year-old Farid Essebar, a Russian-born resident of Morocco, was arrested by the authorities on Thursday 25 August, less than two weeks after worms disrupted high profile organizations around the world. An alleged associate, Atilla Ekici, was detained in Turkey and the authorities claim that he paid Essebar to write the worms.

Essebar is believed to go by the handle "Diabl0", a phrase embedded inside the W32/Zotob-A worm. It is not unusual for malware authors to leave their handles inside their malicious code, sometimes alongside other messages.

Sophos researchers have determined that over 20 other viruses include the "Diabl0" handle, including:

Versions of the Mytob worm are currently dominating worldwide virus reports - accounting for over 54% of all virus reports to Sophos so far during August 2005.

"To the untrained eye the Mytob and Zotob worms can appear quite different: one group of viruses travels via email, the other mostly by exploiting a Microsoft security hole. But when examined by an experienced virus analyst, the similarilities become clear. It appears whoever wrote Zotob had access to the Mytob source code, ripped out the email-spreading section and plugged in the Microsoft exploit," said Graham Cluley, senior technology consultant for Sophos. "The Mytob worms have made a significant impact on the virus outbreak charts this year, so anything which may prevent future variants from being developed and released must be welcomed. However, it's possible that several people have access to the Mytob source code - so it may not be the last we see of this internet scourge."

Sophos continues to recommend that companies protect all tiers of their organization - their desktops, servers and email gateways - with automatically updated anti-virus software to reduce the risk of infection.