MonaRonaDona Mystery Solved

Brain Krebs at the Washington Post blogged today about a pretty common, unusually mysterious, and very badly named extortion scam, “MonaRonaDona”:
“Nobody seems to know how the thing wiggles into infected PCs in the first place, but the one thing that’s clear is that this invader’s primary purpose is to call as much attention to itself as possible…This piece of malware disables a number of programs on the victim’s PC, changes the title of each Internet Explorer Window to include its name, and pops up the warning shown in the adjacent screenshot.”

Our talented friend Roel at Kaspersky blogged about symptoms that they’ve seen as well, without much to add about its origins:
How the malware actually reaches the system isn’t entirely clear at the moment. When first run, the only thing the program does is register itself to start at Windows boot. As symptoms of infection aren’t immediately visible, this makes it harder for victims to pinpoint what they were doing when they actually got infected. “

We were analyzing the same threat earlier this morning, when one of our support team was contacted about the problem. Our ThreatExpert and ThreatFire protected community provided the binaries to find some answers.

Some of these users unfortunately were persuaded over the past week or so to run a version of “RegistryCleaner2008.exe” (afec3d0f13b8f866f2c2eec122024165 for you researchers out there), as can be seen here:

Along with a particular version of “RegistryCleaner2008.exe”, came a little friend by the name of “srvspool.exe” and friends. Some of the infection symptoms are somewhat simple and silly compared to other threats we’ve been researching — “MonaRonaDona” appears in the Internet Explorer title bar, the “DisableTaskManager” key in the registry is set so users cannot use Ctl+Alt+Del to kill the threat on their system, and “srvspool.exe” appears in the All Users startup folder.

Interestingly, the release coincided with the shortlived appearance of an antivirus suite at www.unigray.com. Notice the “New Spyware Threats” list in the bottom right corner contains #1 new find “MonaRonaDona”. At the moment of posting, googling for this dreadfully named virus family turns up no results from any of the credible AV vendors:

Meanwhile, a mysterious poster “ParadiseForever” claimed that “The computer virus by the name Monaronadona is causing widespread havoc by infecting computers everywhere” and that “The only solution would be to install a good AntiVirus software package which can detect and kill the virus. There are a lot of free AntiVirus softwares available online. However the normal antivirus such as Norton or McAfee may not work for this Virus.
You can try dowloading the Unigray Antivirus which is considered the best for removing the monaronadona virus compared to the other spyware / antivirus programs”, which can be seen here:

And here is an attempt to lend credibility to this overpriced false positive producing Unigray scanner, by putting it in the same list as established and well known AV vendors:

Note that it has been reported by other researchers that users’ search engine results are modified in some way, but we have not witnessed this activity. Instead, the rogueware authors have posted at Digg and other sites in order to appear as top Yahoo and other search engine hits for the search term “MonaRonaDona”, with pages that promote the rogueware Unigray AV scanner.
A clean system shows that the top unsponsored result at the yahoo web site takes you to the phony “ParadiseForever” post at hubpages.com:

More of the scam can be read about on Krebs’ post, where he instructs users “If you’re a victim of this extortion scam, please don’t pay up.”

We’ll have more details about the binaries and provide updated information as well. In the meantime, we are pleased to report that the source of this Rogueware is quiet at the moment:

This entry was posted in Online Fraud. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>