Quick Start

README FIRST!: MrKlunky Virus - CSSAV Utility

Command Software Systems
Readme for the CSSAV Utility 
April 3, 1998
This readme contains supplemental information on the MrKlunky virus 
to help you determine if you need the CSSAV utility and to provide 
operational instructions. It is important to note that, at this time, 
the virus is not "In-the-Wild". Our virus response team created this 
utility as a direct response to a customer's report of this 
infection at a single site. It is not an indication of a widespread 
The CSSAV utility is a Windows 95 application that detects the MrKlunky
virus and disinfects systems infected by it. Once you run CSSAV.EXE, 
it installs a Windows 95 device driver, CSSAV.VXD. As an added benefit 
files are scanned during every system boot and shutdown. 
The MrKlunky virus can hide within WIN32 executables while waiting to 
infect Windows 95 machines or WIN32 executables under Windows 95 or NT.
Under Windows 95, there is a VxD and DLL component to the virus that
infects every WIN32 .EXE file as it is copied, executed or edited. 
Infected files can be so badly damaged that they are unusable.  
While WIN32 EXE files can be infected on an NT machine, the NT 
system itself is not infected.
NOTE: The CSSAV utility uses a large amount of resources and may cause 
slower startup and shutdown.  Other activities may also be adversely 
affected in terms of response time.  
Before installing the CSSAV utility, we urge you to use the 
user-defined virus string feature in Command AntiVirus to determine 
if an infection actually exists. From the "Preferences" menu select
"User-Defined Virus Strings". Be sure to also select the "User-defined
virus strings" checkbox in the "Properties" dialog box located in the 
"Task" menu before beginning the scan. The information for the 
user-defined string for MrKlunky is:
      Virus Name: MrKlunky
      Virus String: 5060E8000000005DBF0000F7BFB900100000B850
   Select the checkbox for EXE files     
      COM files: No
      EXE files: Yes
      Boot Sectors: No
Since the virus can reside in VxD files, you must include the VxD
extension in your "Files to include" list located in the "Preferences"
To effectively use the utility, follow these steps:
	1.  After downloading the CSSAVUTL.EXE file, copy it to a 
            virus-free diskette.
	3.  Extract the CSSAVUTL.EXE file on the diskette. You should 
            now have the following two files:  CSSAV.EXE and CSSAV.VXD.
	4.  Set the write-protect tab. 
NOTE: You can make as many copies as you need for your organization.
At each Windows 95 Workstation:
	1.  While your system is running, place the CSSAVUTL diskette 
            in drive A.
	3.  From the "Start" menu, select "Run" and type:
	    The system displays a message indicating that 
            the system will load and run in the background.  
        5.  Click the "Start In Background" button.  You may get messages 
            indicating that your shutdown was incomplete and scandisk will 
            start. You can safely escape from scandisk.
	6.  When the system is fully scanned, a dialog box appears. 
            Click OK.
            NOTE:  Do not shutdown your system until the complete message 
            is displayed, or you may reinfect your system on start up.
The CSSAV utility disables the virus in memory. Then, it scans the hard 
drive, removes the virus, and repairs the damage. At shutdown, any files that 
could not be scanned or repaired because they were open, will be handled.  
NOTE:  Your shutdown process may take slightly longer than it did previously.
We have seen some windows protection errors which we hope to resolve
for the next release of this utility. 
If our utility should become infected, it will continue to function 
correctly. Also, it will be cleaned at shutdown so that it is not a 
source of infection in the future.
After disinfection, the file is not returned to normal size, but it will 
function normally.  We are continuing to refine disinfection and will post 
the update as soon as it is available.
In the current version of the CSSAV utility, you must edit the registry
to remove the utility. It is easy to make a mistake when editing the
registry and the results can be disastrous. Make a backup copy of your
current registry before proceeding. If you are uncertain contact your 
system administrator or call our technical support team. 
In the future there will be an uninstall button.
To remove the CSSAV utility, delete the CSSAV.VxD from your Windows 95
system directory. You then need to delete the registry key for Command
1. Delete the CSSAV.VXD file from Windows 95/System.
2. From the "Start" menu click "Run".
3. Type "regedit" and click "OK".
4. Start at the following key and work your way down:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\Command Software
5. When you are at VxD\Command Software key, highlight 
Command Software and press your delete key.