
F - B O T
---------

The F-Bot utility disinfects computers infected with all known by 
September 2005 variants of the following backdoors:

 Agobot  (also known as Backdoor.Win32.Agobot)
 Aimbot  (also known as Backdoor.Win32.Aimbot)
 Bozori  (also known as Net-Worm.Win32.Bozori)
 Codbot  (also known as Backdoor.Win32.Codbot)
 Forbot  (also known as Backdoor.Win32.Forbot)
 IRCBot  (also known as Backdoor.Win32.IRCBot)
 Mytob   (also known as Net-Worm.Win32.Mytob)
 Poebot  (also known as Backdoor.Win32.Poebot)
 Rbot    (also known as Backdoor.Win32.Rbot)
 SDBot   (also known as Backdoor.Win32.SdBot)
 Spybot  (also known as Worm.P2P.Spybot)
 Wootbot (also known as Backdoor.Win32.Wootbot)

The F-Bot utility can also disinfect computers that are infected 
with new variants of these backdoors, however disinfection will 
only work if these variants are detected generically by AVP 
engine.


DISINFECTION PROCEDURE
----------------------

1. Unpack the F-Bot utility from the provided ZIP archive either 
with WinZip or PkUnzip utilities. A trial version of WinZip 
archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
                                   
2. Run the unpacked F-Bot.exe file from a hard disk to eliminate 
backdoor infections. You can run the utility by either double 
clicking on it from Windows Explorer or you can start it from a 
command interpreter (COMMAND.COM or CMD.EXE) by typing its name 
at command prompt and pressing 'Enter' (for advanced users).

First the F-Bot utility will kill all detected backdoors' 
processes in memory. Then the utility will remove all Registry 
values created by these backdoors and will delete all infected 
files from a hard disk.

3. Reboot the system. After restart your system should be clean.

If you have F-Secure Anti-Virus installed, the utility will 
temporarily disable the on-access scanner (OAS) to be able to 
disinfect your system. After the utility completes disinfection, 
it enables on-access scanner.

You can get a trial version of F-Secure Anti-Virus and the
latest updates for it from our website:

http://www.f-secure.com/download-purchase/list.shtml
http://www.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

The F-Bot tool unpacks several files into a temporary folder on a 
hard drive. These files are not deleted after the tool finishes 
disinfection of a computer. The unpacked files can be deleted 
manually any time after disinfection.

If the infection is in a network environment, then the network 
should be temporarily taken down before all workstations and 
servers are disinfected. A single infected workstation can 
re-infect already cleaned computers. The detailed instructions 
for eliminating an outbreak of the above mentioned backdoors in a 
network environment can be found here:

http://www.f-secure.com/v-descs/netdisinf.shtml

If a computer with Windows NT, 2000 or XP operating system is 
being disinfected, please log in as Administrator or as a user 
with local admin rights, otherwise the F-Bot utility might not 
disinfect the system correctly.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with the above mentioned backdoors. 
The fact is that System Restore feature of these operating 
systems might save the infected file into the special folder and 
copy it back to a hard drive it every time it's been deleted by 
F-Bot utility. The instructions on how to disable System Restore 
feature are here:

Windows ME:
http://www.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'anti-virus-support@f-secure.com' address.

Copyright (C) 2005 F-Secure Corporation.
