Chris Mosby at myITforum.com

The Art, Drama, and Sophistication of MonaRonaDona

March 6th, 2008 by Jovi Umawing

MonaRonaDona may be far from the thought of a wild combination of popular women paintings than initially thought, but this nifty little malware has been making headlines in security Web sites for the last couple of days, bringing to light the latest “artistic” persuasion only a social engineer scammer will attempt to pull off.

Unconfirmed reports of initial infection happens when users click on a certain ad banner for Registry Clean Fix, a possible rogue program, to initiate stealth download of MonaRonaDona onto a system. The malware remains inactive (and impervious to detection) until users restart their systems. Mona then displays the following message upon startup, aiming to introduce itself to the user and at the same time pique his/her interest:

Through the years, it has become natural for computer-savvy users to start looking for solutions or a cure for malware once they get their systems inadvertently infected over the Web. Thus, this natural human response becomes an opportunity for social engineers to exploit. Researchers have found out that keying in “MonaRonaDona” in a search engine (i.e.
Yahoo!, Google) would result to a list of Web sites pointing to several references and discussions about a cure for the MonaRonaDona strain. The sites include YouTube video sites and Web forums. Not that Mona is quite popular at that side of cyberspace, but further investigation reveals that these sites were also the doing of the malware writers. Below is a screenshot of one of the sites that bear the MonaRonaDona cleaning solution article:

The article mentioned an antivirus software known as the Unigray Antivirus, which claims to scan and detect 679,871 threats, including the MonaRonaDona strain. Though detecting and cleaning the said strain was true, investigation results disputed the fact that Unigray can also (supposedly) detect and clean the remaining 679,870. Furthermore, the Web site where Unigray was housed had only been up in the Web for a couple of weeks, which would probably make anyone think twice before actually purchasing the product. One can assume that most likely, the people behind MonaRonaDona were also the same people who developed Unigray.

Trend Micro detects MonaRonaDona as TROJ_MONAGRAY.A. The following component files are also detected:

• RegistryCleaner2008.txt (1,990,711 bytes) - detected as ADW_REGCLEAN.A (TMASY detection is Adware_RegClean)
• unigray_antivirus.txt (1,377,566 bytes) - detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
• Unigray Antivirus.txt (6,721,536 bytes) - detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
• SRVSPOOL.txt (2,170,880 bytes) - detected as TROJ_MONAGRAY.A

One can not help but feel a little impressed as to how much social engineering has “come of age.” The people behind such acts are nevertheless putting more thought and effort into their new schemes than usual, attempting to make something out of the smallest opportunities for profit. Social engineering is really no small business, as users are still found to fall prey to its lures.

Trend Micro advises users to refrain from clicking ad banners, which might lead to unexpected download of malicious files on a system or redirection to a malicious Web site. Trend Micro also implores users to be more wary of new social engineering techniques being practiced in the wild. Lastly, keep pattern and scan files updated.

Source: The Art, Drama, and Sophistication of MonaRonaDona | TrendLabs | Malware Blog - by Trend Micro