F - B O T --------- The F-Bot utility disinfects computers infected with all known by September 2005 variants of the following backdoors: Agobot (also known as Backdoor.Win32.Agobot) Aimbot (also known as Backdoor.Win32.Aimbot) Bozori (also known as Net-Worm.Win32.Bozori) Codbot (also known as Backdoor.Win32.Codbot) Forbot (also known as Backdoor.Win32.Forbot) IRCBot (also known as Backdoor.Win32.IRCBot) Mytob (also known as Net-Worm.Win32.Mytob) Poebot (also known as Backdoor.Win32.Poebot) Rbot (also known as Backdoor.Win32.Rbot) SDBot (also known as Backdoor.Win32.SdBot) Spybot (also known as Worm.P2P.Spybot) Wootbot (also known as Backdoor.Win32.Wootbot) The F-Bot utility can also disinfect computers that are infected with new variants of these backdoors, however disinfection will only work if these variants are detected generically by AVP engine. DISINFECTION PROCEDURE ---------------------- 1. Unpack the F-Bot utility from the provided ZIP archive either with WinZip or PkUnzip utilities. A trial version of WinZip archiver can be downloaded from the following website: http://www.winzip.com/ddchomea.htm 2. Run the unpacked F-Bot.exe file from a hard disk to eliminate backdoor infections. You can run the utility by either double clicking on it from Windows Explorer or you can start it from a command interpreter (COMMAND.COM or CMD.EXE) by typing its name at command prompt and pressing 'Enter' (for advanced users). First the F-Bot utility will kill all detected backdoors' processes in memory. Then the utility will remove all Registry values created by these backdoors and will delete all infected files from a hard disk. 3. Reboot the system. After restart your system should be clean. If you have F-Secure Anti-Virus installed, the utility will temporarily disable the on-access scanner (OAS) to be able to disinfect your system. After the utility completes disinfection, it enables on-access scanner. You can get a trial version of F-Secure Anti-Virus and the latest updates for it from our website: http://www.f-secure.com/download-purchase/list.shtml http://www.f-secure.com/download-purchase/updates.shtml IMPORTANT NOTES --------------- The F-Bot tool unpacks several files into a temporary folder on a hard drive. These files are not deleted after the tool finishes disinfection of a computer. The unpacked files can be deleted manually any time after disinfection. If the infection is in a network environment, then the network should be temporarily taken down before all workstations and servers are disinfected. A single infected workstation can re-infect already cleaned computers. The detailed instructions for eliminating an outbreak of the above mentioned backdoors in a network environment can be found here: http://www.f-secure.com/v-descs/netdisinf.shtml If a computer with Windows NT, 2000 or XP operating system is being disinfected, please log in as Administrator or as a user with local admin rights, otherwise the F-Bot utility might not disinfect the system correctly. If you have Windows ME or XP, it is recommended to disable System Restore feature of these operating systems to prevent your computer from re-infection with the above mentioned backdoors. The fact is that System Restore feature of these operating systems might save the infected file into the special folder and copy it back to a hard drive it every time it's been deleted by F-Bot utility. The instructions on how to disable System Restore feature are here: Windows ME: http://www.f-secure.com/v-descs/sfc_dis.shtml Windows XP: http://www.f-secure.com/v-descs/sfc_dis1.shtml If you have any problems using this utility please contact us on 'anti-virus-support@f-secure.com' address. Copyright (C) 2005 F-Secure Corporation.