Trojan:W32/MonaGray.A
| Name : | Trojan:W32/MonaGray.A |
| Category: | Malware |
| Type: | Trojan |
| Platform: | W32 |
Summary
Trojan:W32/MonaGray.A is a trojan horse that attempts trick victims into downloading a misleading application called Unigray Antivirus.
Unigray Antivirus is a "rogue" product and is detected as Rogue:W32/Unigray.A.
Unigray Antivirus is a "rogue" product and is detected as Rogue:W32/Unigray.A.
Disinfection
Trojan Disinfection
Perform full computer check
Follow the steps below:
1. Open F-Secure
2. Select the "Virus & Spy Protection" button
3. Click the link for "Scan my computer..."
4. Select "Perform full computer check" from the list
5. Please note the path and filenames of the malware found
6. Delete/Remove all files detected Note: Please make that your Automatic Updates are enabled and that the definition databases are current.
Remove launch points and other malware entries from the Registry
Follow the steps below:
1. From the Start Menu; select Run; type "regedit" into the Open: field; click OK.
2. Once the Registry Editor has launched, navigate to the following registry keys:
3. Restore any modified registy value if needed:
Repeat the full computer check to make sure the malware was completely removed.
Perform full computer check
Follow the steps below:
1. Open F-Secure
2. Select the "Virus & Spy Protection" button
3. Click the link for "Scan my computer..."
4. Select "Perform full computer check" from the list
5. Please note the path and filenames of the malware found
6. Delete/Remove all files detected
Remove launch points and other malware entries from the Registry
Follow the steps below:
1. From the Start Menu; select Run; type "regedit" into the Open: field; click OK.
2. Once the Registry Editor has launched, navigate to the following registry keys:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Locate and delete the value:
"Windows" = {path and filename of the malware found}
Locate and delete the value:
"Windows" = {path and filename of the malware found}
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Locate and delete the value:
"Window Title" = "MonaRonaDona"
Locate and delete the value:
"Window Title" = "MonaRonaDona"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Locate and delete the value:
"SD" = {random numbers}
Locate and delete the value:
"SD" = {random numbers}
3. Restore any modified registy value if needed:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = "1" to "DisableTaskMgr" = {previous value}
Note: If you have Task Manager enabled on your system by default, you may simply delete the value:
"DisableTaskMgr" = "1"
"DisableTaskMgr" = "1" to "DisableTaskMgr" = {previous value}
Note: If you have Task Manager enabled on your system by default, you may simply delete the value:
"DisableTaskMgr" = "1"
Repeat the full computer check to make sure the malware was completely removed.
Additional Details
Trojan:W32/MonaGray is the first component of a scam designed to trick victims into purchasing a rogue product. The trojan infects with the intent of drawing attention to itself.
It displays the follow message from the System Tray:
MonaGray.A also sets Internet Explorer's title bar to "MonaRonaDona" and disables the system's Task Manager.
Its primary purpose is to direct the victim to search for the term MonaRonaDona.
Search engines directed to prepared results promoting "Unigray Antivirus".
Example from Digg.com:
The only designed purpose of "Unigray Antivirus" is to remove the MonaGray trojan.
The rogue product sold for $39.90.
As of March 13, 2008 the Unigray website is unavailable and search engine results for "MonaRonaDona" result in legitimate warnings rather than the rogue's prepared promotions.
It displays the follow message from the System Tray:
MonaGray.A also sets Internet Explorer's title bar to "MonaRonaDona" and disables the system's Task Manager.
Its primary purpose is to direct the victim to search for the term MonaRonaDona.
Search engines directed to prepared results promoting "Unigray Antivirus".
Example from Digg.com:
The only designed purpose of "Unigray Antivirus" is to remove the MonaGray trojan.
The rogue product sold for $39.90.
As of March 13, 2008 the Unigray website is unavailable and search engine results for "MonaRonaDona" result in legitimate warnings rather than the rogue's prepared promotions.