Home News Press Room Press Releases Moroccan Authorities Sentence Two in Zotob Computer Worm Attack
This is archived material from the Federal Bureau of Investigation (FBI) website. It may contain outdated information and links may no longer function.

Moroccan Authorities Sentence Two in Zotob Computer Worm Attack

Washington, D.C. September 13, 2006
  • FBI National Press Office (202) 324-3691

Washington, D.C. —Moroccan authorities announced the sentencing of two individuals believed to be responsible for the creation and distribution of the "Zotob" computer worm that was unleashed one year ago and disrupted services on computer networks of more than 100 U.S. companies including major news organizations.

With the help of Moroccan authorities, the Ministry of Interior Turkish National Police, and valuable assistance from Microsoft Corporation, three individuals were arrested on August 25, 2005, just 12 days after the worm was released. Arrested in Morocco was Farid Essebar, 18, a Moroccan national born in Russia who went by the screen moniker "Diabl0" and his 20-year old friend, Achraf Bahloul. Arrested in Turkey was Atilla Ekici, aka "Coder," a 21-year old resident of Turkey. All individuals were subject to local prosecution. The Moroccan court convicted the two Moroccan men for conspiracy, theft, using forged credit cards and illegal access to computer systems. Essebbar was sentenced to two years, and Bahloul was sentenced to one in prison.

FBI Cyber Division Assistant Director James E. Finch said, "The only way to identify and prosecute cyber criminals in the 21st century is through effective partnerships between domestic and international law enforcement and from the private sector. This case is just one example of the global reach of these crimes. We commend the Moroccan authorities for the successful prosecution of these individuals."

At the time of their arrests, Microsoft Senior Vice President and General Counsel Brad Smith said, "We congratulate the Turkish and Moroccan authorities and the FBI for finding and apprehending the alleged distributors of the Zotob and Rbot worms so quickly. These arrests demonstrate the value of public-private collaboration - the first-class investigative work by the authorities and 'round-the-clock technical and investigative support provided by our Internet Crime Investigations Team here at Microsoft. The results show clearly that cyber criminals will be identified, apprehended and held accountable for their actions."

W32.Zotob is a worm that targets Windows 2000 and XP-based computers. The worm opens a back door and exploits the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (described in Microsoft Security Bulletin MS05-039). By lowering the Microsoft Internet Explorer security settings, the virus was able to successfully infect 100% of the computers that executed the worm.

Information concerning the worm and its removal can be located on the Microsoft Website at: www.microsoft.com/security/incident/zotob.mspx

To protect against various computer infections, PC users should adopt a maintenance mindset to help keep their devices safe, and practice good security behaviors. These include using an Internet firewall, diligently installing security updates, using up-to-date antivirus software, as well as using newer and more secure software that has been engineered to better protect against emerging online threats.