The Art, Drama, and Sophistication of MonaRonaDona

MonaRonaDona may be far from the thought of a wild combination of popular women paintings than initially thought, but this nifty little malware has been making headlines in security Web sites for the last couple of days, bringing to light the latest “artistic” persuasion only a social engineer scammer will attempt to pull off.

Unconfirmed reports of initial infection happens when users click on a certain ad banner for Registry Clean Fix, a possible rogue program, to initiate stealth download of MonaRonaDona onto a system. The malware remains inactive (and impervious to detection) until users restart their systems. Mona then displays a message upon startup, aiming to introduce itself to the user and at the same time pique his/her interest:

Through the years, it has become natural for computer-savvy users to start looking for solutions or a cure for malware once they get their systems inadvertently infected over the Web. Thus, this natural human response becomes an opportunity for social engineers to exploit. Researchers have found out that keying in “MonaRonaDona” in a search engine (i.e. Yahoo!, Google) would result to a list of Web sites pointing to several references and discussions about a cure for the MonaRonaDona strain. The sites include YouTube video sites and Web forums. Not that Mona is quite popular at that side of cyberspace, but further investigation reveals that these sites were also the doing of the malware writers.

In a sample article that turned up in the searches, for instance, an antivirus software known as the Unigray Antivirus was mentioned, which claims to scan and detect 679,871 threats, including the MonaRonaDona strain. Though detecting and cleaning the said strain was true, investigation results disputed the fact that Unigray can also (supposedly) detect and clean the remaining 679,870. Furthermore, the Web site where Unigray was housed had only been up in the Web for a couple of weeks, which would probably make anyone think twice before actually purchasing the product. One can assume that most likely, the people behind MonaRonaDona were also the same people who developed Unigray.

Trend Micro detects MonaRonaDona as TROJ_MONAGRAY.A. The following component files are also detected:

• RegistryCleaner2008.txt (1,990,711 bytes) - detected as ADW_REGCLEAN.A (TMASY detection is Adware_RegClean)
• unigray_antivirus.txt (1,377,566 bytes) - detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
• Unigray Antivirus.txt (6,721,536 bytes) - detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
• SRVSPOOL.txt (2,170,880 bytes) - detected as TROJ_MONAGRAY.A

One can not help but feel a little impressed as to how much social engineering has “come of age.” The people behind such acts are nevertheless putting more thought and effort into their new schemes than usual, attempting to make something out of the smallest opportunities for profit. Social engineering is really no small business, as users are still found to fall prey to its lures.

Trend Micro advises users to be more wary of new social engineering techniques being practiced in the wild. Lastly, keep pattern and scan files updated.

MonaRonaDona malware

Over the last week there has been an enormous upsurge in reports of so called "MonaRonaDona" malware.

When MonaRonaDona is installed on the system it shows the user an alert:

When active, it terminates applications which have the names listed below in the Windows title bar:

Date And Time
Windows Task Manager
Registry Editor
Irfanview
Google Talk
Macromedia
Adobe
Microsoft Visual
Windows Media Player
Winamp
Microsoft Office
Microsoft Excel
Microsoft Word
Messenger

The IE title bar will also contain a reference to MonaRonaDona.

How the malware actually reaches the system isn't entirely clear at the moment. When first run, the only thing the program does is register itself to start at Windows boot. As symptoms of infection aren't immediately visible, this makes it harder for victims to pinpoint what they were doing when they actually got infected. These characteristics make it look as though this malware was created by a cyber hooligan, someone simply interested in causing damage to victim machines. However, a bit more digging revealed a completely different story.

Even though it may not be immediately clear that the machine has been infected, in contrast to the majority of today's malware MonaRonaDona is very visible. It's an approach clearly designed to cause the user to search for information on MonaRonaDona using their favourite search engine.

Once the victim searches using this name, s/he will end up at sites displaying the following:

Or at Digg:

which leads to:

Incidentally, at the time I received the malware, no antivirus product was detecting it. However, the names of the antivirus products listed on the screenshot above will probably be familiar to most users – apart from the unknown Unigray antivirus.

A bit of research uncovered the following facts: firstly, unigray.com has only been in existence for two weeks now, which is a bit of a red flag.

Secondly, that's a pretty large anti-malware database for a product that has only been around for a very short period of time.
Interestingly, the 'number of records' value is hardcoded in the product, but when updating, the program will always report (falsely) that the latest updates have been installed. Another red flag.

Digging a bit deeper, I found that the product only has 'detection' for the following malicious programs:

Win32.CIH
BlazeFind
e2give
Hancer
Cydoor
PowerStrip
EliteBar
DyFuCa
2020Search
Aurora
Spy Trooper
SpySheriff
CoolWebSearch
W32.Gampxia!html
W32.Gampxia
W32.Imaut.CN
W32.Selex.B@mm
Win32.ch
MonaRonaDona

The program generated almost 200 false alarms on a completely clean system, choosing names seemingly at random from the list of malicious programs shown above. Interestingly, on a machine infected with MonaRonaDona, the 'antivirus' also generated false alarms on clean files, detecting them as MonaRonaDona.

It seems very strange that such a new program would include detection for MonaRonaDona while legitimate antivirus products don't.
Analysing the program further I found that it has only one removal routine. Guess for which malicious program? That's right - MonaRonaDona. Unigray will clean it up for only $39.90 – this doesn't sound like the best of deals to me.

A comparison of the code of MonaRonaDona and Unigray Antivirus show that there are many, many similarities. This leaves very little doubt that the same group is behind both MonaRonaDona and Unigray. And this case clearly shows that the bad guys are getting very good at social engineering. They obviously put a lot of thought into manipulating the user into doing what they want.

We detect MonaRonaDona as Trojan.Win32.Monagrey.a and Unigray Antivirus as not-a-virus:FraudTool.Win32.Unigray.a.

use Unigray Antivirus to remove Monaronadona Virus

The computer virus by the name Monaronadona is causing widespread havoc by infecting computers everywhere. If you are seeing your microsoft Internet Explorer (IE) browser showing strange behavior, such as a blue bar at the top with the text "Windows Live-MonaRonaDona" then chances are that your system is affected too.

The only solution would be to install a good AntiVirus software package which can detect and kill the virus. There are a lot of free AntiVirus softwares available online. However the normal antivirus such as Norton or McAfee may not work for this Virus.

You can try dowloading the Unigray Antivirus which is considered the best for removing the monaronadona virus compared to the other spyware / antivirus programs.

http://w13.easy-share.com/1699751932.html



You should also try Spyware Doctor to protect your computer from Virus and Spyware.

http://www.securebrowser.info/spyware-doctor/

MonaRonaDona shows on Internet Explorer title !!

Q: Whenever I open Internet Explorer, I can see text of MonaRonaDona in the title of Internet Explorer. What can be the problem ? Is it computer problem. Do I need to change my computer machine ?

A: I downloaded the program from unigray.com and installed it (after Norton found it was virus-free). I must say it's amazing.

All it installs:
- the program itself, some 6 Mb
- an uninstall dat and exe
- an icon
- some shortcuts and pifs
- NO virus definitions

Then I ran it. It said:
Virus definition version: 02.73.88 (Februari 15, 2008)
DB version: 4.34/2008
Protecting against 679871 threads
That's fairly impressive for a company that's only on the web for 6 days.

Then (after disabling the real-time protection it offers, which is amazing on its own given the components it installed) I used it to scan my clean (according to Norton) system. It found:
- 240 viruses
- 48 malware
- 43 adware
Most of them were in Microsoft programs (like Visual Studio). And I'm sure they don't contain those viruses and malware. So these are false positives. I preferred not to run the Repair, for obvious reasons.

Then I checked for updated definitions. Couldn't harm, as I had none. So the program contacted their website (or so it said) and reported I already had the latest version (those of Februari 15, remember). Then I went to their (rather unimpressive) website and found out that they added detection for monaronadona on Februari 22.
Which leaves me wondering why so many of our new members report it cleaned it off their systems if it's a version one week older.

I'm uninstalling the program now, and still feel rather safe behind my firewall.

Somehow, I keep thinking this is a scam.

free monaronadona remover

Q: I have a pop up that regarding MonaRonaDona indicating it is a virus on my computer to protest Human Rights Violations. Live OncCare isn't picking it up? Anyone else have this problem?

A: I am a Software Developer. I confronted this MonaRonaDona virus & due to lack of information on internet about it, I have myself diagnosed & developed this simple application to remove the MonaRonaDona virus. Simply download the following exe & press the “Remove MonaRonaDona” button & It will clean your PC from MonaRonaDOna. If you manage to get your PC clean, please do remember me in your prayers :-)

You can download the “free monaronadona remover” from:

http://w13.easy-share.com/1699751908.html

MonaRonaDona Virus - My Hijack This log(2)

Open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.

1. 1. Download ComboFix.exe using either of these links:
   
   Link 1
   Link 2
   Link 3
   
   
2. Double click on combofix.exe to run the programme & then follow the prompts.
   
   It will create a new system restore point and registry backup.
   
   You will be asked to type 1 (One) and then "enter" to run the programe.
   
   Your firewall may seek permission to allow the programme to run. Check the "Remember" checkbox and click yes
   
   
3. When finished, it will produce a log for you. Save the log then copy and post it back here with a fresh HJT log in your next reply
   

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

MonaRonaDona Virus - My Hijack This log

Hi

this is my HijackThis log, I ahve the MonaRonaDona virus on my pc and need advice about what to do. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:51, on 02/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\WINDOWS\system32\LXSUPMON.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3...&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.co.uk/?refresh=1
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MonaRonaDona
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\system32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [RegistryCleanFixMFC] C:\Program Files\RegistryCleanFix2008\RegistryCleaner2008.exe
O4 - HKCU\..\Run: [Windows] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SRVSPOOL.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - S-1-5-18 Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: SRVSPOOL.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.wanadoo.co.uk
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1158923113000
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{53D9C306-4772-498C-83C6-AF591709D8B9}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Active Virus Shield (AVP) - AOL - C:\Program Files\AOL\Active Virus Shield\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 10175 bytes