The teenager arrested on suspicion of writing and distributing the Zotob Windows 2000 worm may have authored more than 20 other viruses, it has emerged.
The claim was made by anti-virus company Sophos, which has analysed a number of viruses incorporating the Diabl0 "handle or moniker used by the accused, 18-year-old Farid Essebar.
Other viruses and worms suspected of being his handiwork include the Mydoom variant, Mydoom-BG, and the Zotob-related Mytob worm that the company says currently accounts for over half of all virus traffic reported to it in August.
The Russian-born Moroccan resident was arrested last Thursday, after computer forensic work by the FBI traced him and his alleged accomplice, Atilla Ekici, to addresses in the country, and in Turkey.
Police have since widened their net in Turkey, arresting a further 16 people earlier this week on suspicion of distributing Zotob and Mytob, which caused widespread disruption to Windows 2000 systems around the world two weeks ago.
"It appears that whoever wrote Zotob had access to the Mytob source code, ripped out the email-spreading section, and plugged in the Microsoft exploit," said Graham Cluley of Sophos. The two used different methods to spread, but were otherwise closely related, he said. "It's possible that several people have access to the Mytob source code - so it may not be the last we see of this Internet scourge."
The case throws some light on the way that virus and worm distribution appears to be becoming a group rather than individual activity. It is also noteworthy that police have been able to trace the alleged culprits in only a matter of days. In the past, such investigations would have taken months and probably proved inconclusive.
What seems to have helped police unravel the true size of the group activity is the association of Essebar with a group called the 0x90-Team, which operated its own website to help with coordination. This site was defaced at the weekend, probably by a rival group.