Threat Descriptions

Trojan:W32/MonaGray.A

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan:W32/MonaGray.A, Trojan:W32/MonaGray.A

Summary

Trojan:W32/MonaGray.A is a trojan horse that attempts trick victims into downloading a misleading application called Unigray Antivirus. Unigray Antivirus is a "rogue" product and is detected as Rogue:W32/Unigray.A.

Removal

Manual action

Perform full computer check

Follow the steps below:

  • 1. Open F-Secure
  • 2. Select the "Virus & Spy Protection" button
  • 3. Click the link for "Scan my computer..."
  • 4. Select "Perform full computer check" from the list
  • 5. Please note the path and filenames of the malware found
  • 6. Delete/Remove all files detected

Note: Please make that your Automatic Updates are enabled and that the definition databases are current.

Remove launch points and other malware entries from the Registry

Follow the steps below:

  • 1. From the Start Menu; select Run; type "regedit" into the Open: field; click OK.
  • 2. Once the Registry Editor has launched, navigate to the following registry keys:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLocate and delete the value:"Windows" = {path and filename of the malware found}
    • HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MainLocate and delete the value:"Window Title" = "MonaRonaDona"
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersionLocate and delete the value:"SD" = {random numbers}
  • 3. Restore any modified registy value if needed:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System"DisableTaskMgr" = "1" to "DisableTaskMgr" = {previous value}
    • Note: If you have Task Manager enabled on your system by default, you may simply delete the value:"DisableTaskMgr" = "1"

Repeat the full computer check to make sure the malware was completely removed.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Trojan:W32/MonaGray is the first component of a scam designed to trick victims into purchasing a rogue product. The trojan infects with the intent of drawing attention to itself.It displays the follow message from the System Tray:

MonaGray.A also sets Internet Explorer's title bar to "MonaRonaDona" and disables the system's Task Manager.Its primary purpose is to direct the victim to search for the term MonaRonaDona.Search engines directed to prepared results promoting "Unigray Antivirus".Example from Digg.com:

The only designed purpose of "Unigray Antivirus" is to remove the MonaGray trojan.The rogue product sold for $39.90.

As of March 13, 2008 the Unigray website is unavailable and search engine results for "MonaRonaDona" result in legitimate warnings rather than the rogue's prepared promotions.