logo

  •   Submit to to del.icio.us   Submit to to digg   submit to to reddit   submit to to StumbleUpon   submit to to Google   Submit to to Yahoo!

Category: blogs | Posted by Avatar Staff 274 days ago
Via: http://www.symantec.com | Tags: monaronadona pure social engineering scam comments Discuss  

We have analysed samples of malware that is calling itself 'MonaRonaDona', and is creating a buzz on Internet forums. In a nutshell, it seems the sole purpose of the malware is to prompt the user to enter the term "MonaRonaDona" into a search engine. This is an attempt to lead them to an application that can remove the unwelcome threat - a fix that has obviously been conveniently provided by the very people who created the virus in the first place.



When the Trojan executes, it creates the file SRVSPOOL.EXE in the startup folder of all user accounts and displays the following alert on the compromised computer:



monaronadona_cropped.jpg



The threat will stop the following applications if their name appears in the Windows title bar and the title bar will also contain a reference to MonaRonaDona:



• Date And Time

• Windows Task Manager

• Registry Editor

• Irfanview

• Google Talk

• Macromedia

• Adobe

• Microsoft Visual

• Windows Media Player

• Winamp

• Microsoft Office

• Microsoft Excel

• Microsoft Word

• Windows Live Messenger



Once the user enters the name 'MonaRonaDona' into an Internet search engine, some of the top search results will be the "fix" that the malware authors have - in all probability - also conveniently created in order to solve the problem:







Fortunately, the top search engine results now highlight the fact that this is a scam and warn victims against downloading the Trojan author's application created to remove the malware, which they were charging US$39.90 for (the Unigray Web site was down at the time of writing). While the software does in fact remove the MonaRonaDona Trojan - it is the ONLY malware it removes, despite the fact that it (falsely) reports to have cleaned over 200 other threats. These threats appear to have been randomly selected from the Symantec threat database.



Not surprisingly, the domain unigray.com was only registered on Feb 20 this year - and yet the product claims to detect 679,871 threats...







Symantec antivirus products detect MonaRonaDona as Trojan.Monagray and the Unigray software as misleading application "Unigray".
addto Add this link to... report Bury 


Comments Who Voted Related Links
Copyright 2005-2008 Best of Security