cgjn7843.dll

Thursday, 20 October 2011 03:07

Trojan - W32.Bancos

Here is a suspicious malicious virus installer that saves a file named C:\Windows\cgjn7843.dll,  You can see the report on this link

It seems to be a Banking Trojan, Trojan-Downloader.Win32.Bancos. 

Just because a virus writer decides to give a name to a virus file, that does not make the name itself outlawed. So you need to take necessary precautions while deciding whether a file on your computer is legitimate or not. Read this Disclaimer

• The installer is of about 244 Kilobytes.
• It creates these files at
  C:\Windows\cgjn7843.dll
• And these folders
  -
  It creates a startup registry entry so that the file cgjn7843.dll runs each time windows starts.
• This virus modifies the Hosts file
• It intercepts the user’s requests to various sites and redirects them to a malicious URL.
• It could be used to download malicious files on the computer

Can Antivirus programs detect it?

Unfortunately most antivirus programs seem to miss these virus files

What is a Banking Trojan?

• Trojan Infostealer Bancos/ Banker may be detected by Antivirus programs as
  Trojan-Banker.Win32.Banz [Ikarus]
• It has threat characteristics of ZBot - a banking trojan that disables firewall, steals sensitive financial data (credit card numbers, online banking login details), makes screen snapshots, downloads additional components, and provides a hacker with the remote access to the affected computer.
• It may stop services ALG/ Application Layer Gateway Service, SharedAccess/ Windows Firewall/Internet Connection Sharing (ICS)
• Trojan.Bancos runs silently in the background to monitor web browser activities. It can create fake login page for certain banking sites which is used for stealing usernames and passwords which can be sent to the attacker via e-mail.
• It may modify the hosts file so as to redirect or block sites. Or it deletes the hosts file.
• It may delete safeboot registry keys. This will prevent the computer from starting in safe mode. The remedy to this problem is to reinstall windows.
• According to Symantec: The Trojan is most often spread by way of an email containing a social engineering trick such as a fake email from a bank asking the user to run the attached program and perform some other actions to verify their banking details. If the user complies with the request they could potentially reveal their account access information which may lead to significant financial loss. You can read the the writeup at Symantec on this link

How do I get infected? Can it be avoided?

Small files like these can enter a computer unnoticed while browsing on the net. It is called a drive by download. And there are ways to prevent it from happening. You can read them on this link here

So what should I do now?

You need to delete this or any other suspicious files that could be seen running in Task manager. Also do not forget to run a scheduled boot scan using the antivirus program on your computer. A good firewall can prevent and help you to block or detect if there is any hidden communication between a file on your computer and someone else on the internet. So keep a close eye on these activities through your Firewall.

The virus may modify registry keys/values associated with Internet Explorer zone settings and lower the security settings. You can use a free tool from Microsoft to reset the IE settings. See more info on Microsoft's website 

Don't you write detailed Step by step instructions?

Yes, I do. But in order to avoid looking cumbersome, I have grouped all the commonly followed steps that can be applied to any or all of the viruses. In case you need them they are here on this link.

The above information is based on Automated virus analysis report form Threatexpert.com.

Sanjay C Rajure

If you come across any difficulties in removing the above virus, send your queries in the Help Forum