Farid Essebar, 18, of Morocco - codename Diablo - allegedly wrote both worms, FBI and Microsoft officials said in a conference call Friday. The other man arrested was Atilla Ekici, 21, of Morocco - codename Coder - with whom Essebar had a financial relationship.
"We believe there was financial gain on the part of the Moroccan with regards to writing of the code," said Louis Reigel, FBI Cyber Division assistant director.
Zotob, released earlier this month, targeted vulnerable Windows 2000 computers. A variant of it shut down systems at several major media outlets worldwide, including CNN, ABC and the New York Times.
Brad Smith, Microsoft general counsel, said the suspects are believed to have been involved in the Mytob worm from earlier this year as well as Arbot.
Microsoft's Internet Crime Investigations Team was able to glean information about the source of the attacks by dissecting the worms, Smith said. Microsoft shared that information with the FBI, which then shared the data with Moroccan and Turkish authorities.
"This case happened very quickly," Reigel said. "We had one week into the investigation and were successful because of our international relationships - particularly in Turkey and Morocco - and with support from Microsoft."
Reigel did not know what specific charges the suspects face. The case remains under investigation both in the U.S. and internationally, he said.
Smith said the quick arrest illustrates the progress in international cooperation in tracking down cybercriminals.
"Clearly this kind of public-private collaboration is a model," he said.