The Zotob worm emerged on August 13, 2005 — just four days after Microsoft released the MS05-039 security patch for a critical Plug and Play buffer overflow vulnerability in Windows 2000. The worm spread rapidly via port 445, targeting unpatched Windows 2000 systems, causing them to reboot repeatedly. Notably high-profile victims included CNN (live TV broadcasts disrupted, reporters seen rebooting machines on air), The New York Times (newsroom computers infected), and the US Department of Homeland Security. A total of approximately 13 variants were identified. The FBI investigated and arrested two suspects within 11 days: Farid Essebar (nicknamed ‘Diablo’), an 18-year-old Moroccan national, and Atilla Ekici, a 21-year-old Turkish national. Essebar was convicted and sentenced to 2 years in Morocco. Zotob was notable for: (1) the speed of weaponization of a newly disclosed vulnerability; (2) the high visibility of its victims; and (3) the rapid law enforcement response. The incident reinforced the criticality of rapid patch deployment cycles and was frequently cited in discussions of zero-day and near-zero-day exploitation timelines.