
F - D E B O R M
---------------

The F-Deborm utility disinfects computers infected with Deborm.R 
worm (also known as Worm.Win32.Deborm.R and W32/Deborm.R) and the 
malware that it drops to an infected system:

Trojan.Win32.Killav.q
Backdoor.SDbot.gen (also known as W32/SDBot.J)
Backdoor.Litmus.203 (also known as W32/Litmus.C)

Disinfection procedure should be as follows:

1. Unpack the F-Deborm utility from the provided ZIP archive 
either with WinZip or PkUnzip utilities. A trial version of 
WinZip archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
                                   
2. Run the unpacked F-Deborm.exe file from a hard disk to 
eliminate the infection. You can run the utility by either 
doubleclicking on it from Windows Explorer or you can start it 
from a command interpreter (COMMAND.COM or CMD.EXE) by typing its 
name at command prompt and pressing 'Enter' (for advanced users).

First the F-Deborm utility will kill Deborm worm's processes in 
memory. Then the utility will scan all hard drives for infected 
files and delete them. The tool will also eliminate SDBot, Litmus 
backdoor and Killav trojan infection.

3. Restart a computer. After restart your system should be clean.


You can get a trial version of F-Secure Anti-Virus and the latest 
updates for it from our website:

http://www.europe.f-secure.com/download-purchase/
http://www.europe.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

If Deborm infection is in a network environment, then the network 
should be temporarily taken down before all workstations and 
servers are disinfected. A single infected workstation can 
re-infect already cleaned computers. However if FSAV 5.40 or a 
later version is installed on computers connected to a network, 
it is recommended to set disinfection action of the On-Access 
Scanner (OAS) to 'Disinfect Automatically'. This will protect 
already cleaned workstations connected to an infected network 
from further re-infection by the worm.

If a computer with Windows NT, 2000 or XP system is being 
disinfected, please log in as Administrator or as a user with 
local admin rights, otherwise the F-Deborm utility might not 
disinfect the system correctly.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Deborm worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and copy it back to a hard 
drive it every time it's been deleted by F-Deborm utility. The 
instructions on how to disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'samples@f-secure.com' address.

