
F - Z A F I
-----------

The F-Zafi utility disinfects computers infected with the
following Zafi (also known as Erkez or Kapes) worm variants:

Zafi.A
Zafi.B
Zafi.C
Zafi.D

Disinfection procedure should be as follows:

1. Unpack the F-Zafi utility from the provided ZIP archive either 
with WinZip or PkUnzip utilities. A trial version of WinZip 
archiver can be downloaded from the following website:

http://www.winzip.com/ddchomea.htm
                                   
2. Run the unpacked F-Zafi.exe file from a hard disk to eliminate 
the infection. You can run the utility by either doubleclicking 
on it from Windows Explorer or you can start it from a command 
interpreter (COMMAND.COM or CMD.EXE) by typing its name at 
command prompt and pressing 'Enter' (for advanced users).

First the F-Zafi utility will kill Zafi worm's processes in 
memory. Then the utility will remove Registry entries created by 
the worm. Finally the utility will scan all hard drives for 
infected files and delete them.

3. Restart a computer. After restart your system should be clean.


You can get a trial version of F-Secure Anti-Virus and the latest 
updates for it from our website:

http://www.europe.f-secure.com/download-purchase/list.shtml
http://www.europe.f-secure.com/download-purchase/updates.shtml


IMPORTANT NOTES
---------------

Zafi.B worm can overwrite executable files belonging to different 
applications with its body. Sometimes it can kill files of certain 
applications by reducing their file's size to zero. The F-Zafi 
utility will delete files overwritten by the worm, so affected 
applications have to be re-installed or restored from backups. 
The same should be done for the application files zeroed by the
worm.

If a computer with Windows NT, 2000 or XP system is being 
disinfected, please log in as Administrator or as a user with 
local admin rights, otherwise the F-Zafi utility might not 
disinfect the system correctly.

If you have Windows ME or XP, it is recommended to disable System 
Restore feature of these operating systems to prevent your 
computer from re-infection with Zafi worm. The fact is that 
System Restore feature of these operating systems might save the 
infected file into the special folder and copy it back to a hard 
drive it every time it's been deleted by F-Zafi utility. The 
instructions on how to disable System Restore feature are here:

Windows ME:
http://www.europe.f-secure.com/v-descs/sfc_dis.shtml

Windows XP:
http://www.europe.f-secure.com/v-descs/sfc_dis1.shtml

If you have any problems using this utility please contact us on 
'anti-virus-support@f-secure.com' address.

Copyright (C) 2004 F-Secure Corporation. All rights reserved.

