README FIRST!: MrKlunky Virus - CSSAV Utility
Command Software Systems
Readme for the CSSAV Utility
April 3, 1998
This readme contains supplemental information on the MrKlunky virus
to help you determine if you need the CSSAV utility and to provide
operational instructions. It is important to note that, at this time,
the virus is not "In-the-Wild". Our virus response team created this
utility as a direct response to a customer's report of this
infection at a single site. It is not an indication of a widespread
The CSSAV utility is a Windows 95 application that detects the MrKlunky
virus and disinfects systems infected by it. Once you run CSSAV.EXE,
it installs a Windows 95 device driver, CSSAV.VXD. As an added benefit
files are scanned during every system boot and shutdown.
The MrKlunky virus can hide within WIN32 executables while waiting to
infect Windows 95 machines or WIN32 executables under Windows 95 or NT.
Under Windows 95, there is a VxD and DLL component to the virus that
infects every WIN32 .EXE file as it is copied, executed or edited.
Infected files can be so badly damaged that they are unusable.
While WIN32 EXE files can be infected on an NT machine, the NT
system itself is not infected.
NOTE: The CSSAV utility uses a large amount of resources and may cause
slower startup and shutdown. Other activities may also be adversely
affected in terms of response time.
Before installing the CSSAV utility, we urge you to use the
user-defined virus string feature in Command AntiVirus to determine
if an infection actually exists. From the "Preferences" menu select
"User-Defined Virus Strings". Be sure to also select the "User-defined
virus strings" checkbox in the "Properties" dialog box located in the
"Task" menu before beginning the scan. The information for the
user-defined string for MrKlunky is:
Virus Name: MrKlunky
Virus String: 5060E8000000005DBF0000F7BFB900100000B850
Select the checkbox for EXE files
COM files: No
EXE files: Yes
Boot Sectors: No
Since the virus can reside in VxD files, you must include the VxD
extension in your "Files to include" list located in the "Preferences"
To effectively use the utility, follow these steps:
1. After downloading the CSSAVUTL.EXE file, copy it to a
3. Extract the CSSAVUTL.EXE file on the diskette. You should
now have the following two files: CSSAV.EXE and CSSAV.VXD.
4. Set the write-protect tab.
NOTE: You can make as many copies as you need for your organization.
At each Windows 95 Workstation:
1. While your system is running, place the CSSAVUTL diskette
in drive A.
3. From the "Start" menu, select "Run" and type:
The system displays a message indicating that
the system will load and run in the background.
5. Click the "Start In Background" button. You may get messages
indicating that your shutdown was incomplete and scandisk will
start. You can safely escape from scandisk.
6. When the system is fully scanned, a dialog box appears.
NOTE: Do not shutdown your system until the complete message
is displayed, or you may reinfect your system on start up.
The CSSAV utility disables the virus in memory. Then, it scans the hard
drive, removes the virus, and repairs the damage. At shutdown, any files that
could not be scanned or repaired because they were open, will be handled.
NOTE: Your shutdown process may take slightly longer than it did previously.
We have seen some windows protection errors which we hope to resolve
for the next release of this utility.
If our utility should become infected, it will continue to function
correctly. Also, it will be cleaned at shutdown so that it is not a
source of infection in the future.
After disinfection, the file is not returned to normal size, but it will
function normally. We are continuing to refine disinfection and will post
the update as soon as it is available.
In the current version of the CSSAV utility, you must edit the registry
to remove the utility. It is easy to make a mistake when editing the
registry and the results can be disastrous. Make a backup copy of your
current registry before proceeding. If you are uncertain contact your
system administrator or call our technical support team.
In the future there will be an uninstall button.
To remove the CSSAV utility, delete the CSSAV.VxD from your Windows 95
system directory. You then need to delete the registry key for Command
1. Delete the CSSAV.VXD file from Windows 95/System.
2. From the "Start" menu click "Run".
3. Type "regedit" and click "OK".
4. Start at the following key and work your way down:
5. When you are at VxD\Command Software key, highlight
Command Software and press your delete key.