F-Secure Malware Information Pages: Trojan:W32/MonaGray.A

Main Index

Security Guide

F-Secure World Map

Security Alerts

Virus Statistics

Malware Removal Tools

Malware Code Glossary

Submit Malware Sample

Select local site

Main Index » Security Centre » Descriptions

F-Secure Malware Information Pages: Trojan:W32/MonaGray.A

[Summary] \| [Disinfection] \| [Detailed Description]
Name :	Trojan:W32/MonaGray.A
Alias:	Trojan.Win32.MonaGray.a, MonaRonaDona, Trojan.Win32.MonaGray.b, Trojan.Win32.MonaGray.c
Type:	Trojan
Category:	Malware
Platform:	W32

Radar

Summary

Trojan:W32/MonaGray.A is a trojan horse that attempts trick victims into downloading a misleading application called Unigray Antivirus.

Unigray Antivirus is a "rogue" product and is detected as Rogue:W32/Unigray.A.

Back to the Top

Disinfection

Trojan Disinfection

Perform full computer check

Follow the steps below:

1. Open F-Secure
2. Select the "Virus & Spy Protection" button
3. Click the link for "Scan my computer..."
4. Select "Perform full computer check" from the list
5. Please note the path and filenames of the malware found
6. Delete/Remove all files detected

Note: Please make that your Automatic Updates are enabled and that the definition databases are current.

Remove launch points and other malware entries from the Registry

Follow the steps below:

1. From the Start Menu; select Run; type "regedit" into the Open: field; click OK.
2. Once the Registry Editor has launched, navigate to the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Locate and delete the value:
"Windows" = {path and filename of the malware found}
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Locate and delete the value:
"Window Title" = "MonaRonaDona"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
Locate and delete the value:
"SD" = {random numbers}

3. Restore any modified registy value if needed:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"DisableTaskMgr" = "1" to "DisableTaskMgr" = {previous value}

Note: If you have Task Manager enabled on your system by default, you may simply delete the value:
"DisableTaskMgr" = "1"

Repeat the full computer check to make sure the malware was completely removed.

Back to the Top

Detailed Description

Trojan:W32/MonaGray is the first component of a scam designed to trick victims into purchasing a rogue product. The trojan infects with the intent of drawing attention to itself.

It displays the follow message from the System Tray:

MonaGray.A also sets Internet Explorer's title bar to "MonaRonaDona" and disables the system's Task Manager.

Its primary purpose is to direct the victim to search for the term MonaRonaDona.

Search engines directed to prepared results promoting "Unigray Antivirus".

Example from Digg.com:

The only designed purpose of "Unigray Antivirus" is to remove the MonaGray trojan.

The rogue product sold for $39.90.

As of March 13, 2008 the Unigray website is unavailable and search engine results for "MonaRonaDona" result in legitimate warnings rather than the rogue's prepared promotions.

Back to the Top

F-Secure Corporation

Last Modified: March 13, 2008