Malware chaos algssl.exe

Recently i got myself a 2gig flash drive to get some more portability. But as uncle Ben says to Spiderman "With great portability comes a greater risk of malware!".That was precisely my case. Almost all common malware these days spread through Portable drives(win32.usb ) as much as they do through emails.

My case , its an algssl.exe . I had to overcome my laziness finally to see through it . I tried Webroot's Spyware remover and SpyBot S&D(with latest updates) but none of them detected this one, of course they were real good in finding tracking cookies :) And i must say i really like Teatimer.exe with SpyBot. It really doesn't let the spyware edit entries back into registry ones i set the rules, which did not work same with Ccleaner.

Conclusion?! I had to deal with it manually. I ran some tests to find as much about this algssl.exe as i could, google helped greatly. From my first impressions, it appeared to be of chinese origin or atleast that is where most blog and forum posts mention about this infection.

Here are some of the details of String results on algssl.exe on my system.

-------------------------------------------
SQLOLEDB.1
msfir80
algssl
sal.xls
msime80
msnote
.exe
explorer
AUTORUN.INF
[AutoRun]
open=
shellexecute=
shell\Auto\command=
shell=Auto
[VVflagRun]
aabb=kdkfjdkfk11
\ufdata2000.log
UFDATA_
select cAcc_Id from ua_account order by cAcc_id
LockType
Open
EOF
cAcc_id
select iyear from ua_period where cAcc_id='
' order by iyear desc
iyear
MoveNext
Integrated Security=SSPI;Persist Security Info=False;Data Source=.;Initial Catalog=ufsystem
select count(*) as co from
.dbo.gl_accvouch where iperiod=
Close
select top
mc,md from
order by ino_id
MoveLast
Update
.dbo.gl_accsum where iperiod=
mb,mc,md,me from
order by ccode
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Software\Microsoft\Windows\CurrentVersion\Run
CheckedValue
IMJPMIG8.2
MsServer
VS_VERSION_INFO
VarFileInfo
Translation
StringFileInfo
CompanyName
Microsoft Corp.
ProductName
FireWall Files

------------------------------------------------------


These two files msfir80.exe and msie80.exe appear as Microsoft Excel files,
Path:
%systemroot%\system32\msfir80.exe
%systemroot%\system32\msie80.exe

Delete these two files.
And delete all the keys in the registry for both of these files.

Now, i also noticed, it locked down my partitions. So whenever i would try access my any partition i would have to choose from openWith dialog window which is usually for files to be run using specific applications.
In addition, every partition had a AutoRun.inf file which looked like this

----------------------------

[AutoRun]
open=sal.xls.exe
shellexecute=sal.xls.exe
shell\Auto\command=sal.xls.exe
shell=Auto
[VVflagRun]
aabb=kdkfjdkfk11


-------------

So that means, we have two files , one is AutoRun.inf which then runs sal.xls.exe

Moving to cmd prompt

Do Dir /a in each drive
You should find both files in every drive at root level, change the attributes of the both these files
ex:For my Drive D:


D:/>attrib AutoRun.inf -h -s -r
D:/>attrib sal.xls.exe -h -s -r
D:/>del AutoRun.inf sal.xls.exe


Reapeat this for every partition. Clear the registry of any keys with these files too(it makes changes to registry for startup)
Reboot.
And yeah this taught me one thing, use your flash drive carefully.Always check for any sort of malicious processes.


I'm not an expert at malware detection or removal. But i don't take anything for granted (specially with my system). Those strings in the exe ,i m wondering what they could be? I can narrow all this down to
- Malware spreads through some exploit( i am still looking into it)
- From all the strings, it looks as if it is creating some kind of database. I wonder what it would be used for ?

select cAcc_Id from ua_account order by cAcc_id
Open
EOF
cAcc_id
select iyear from ua_period where cAcc_id='
' order by iyear desc
iyear
MoveNext



(If anyone finds more information about it please let me know )

I'm gonna try get more information about it, But first i need to prepare for my internal exams , they are start on Monday(and yeah thats my last internals :) ).