MonaRonaDona New Social Engineering Scam
A malware called “MonaRonaDona” is using social engineering tactics and prompts users to enter the term “MonaRonaDona” into a search engine. This attempt leads them to an application that can remove the unwelcome threat – a fix that has obviously been conveniently provided by the very people who created the virus in the first place.
When the Trojan executes, it creates the file SRVSPOOL.EXE in the startup folder of all user accounts and displays the following alert on the compromised computer:
The threat will stop the following applications if their name appears in the Windows title bar and the title bar will also contain a reference to MonaRonaDona:
Date And Time
Windows Task Manager
Microsoft Visual
Windows Media Player
Winamp
Microsoft Office
Microsoft Excel
Microsoft Word
Windows Live Messenger
Registry Editor
Irfanview
Google Talk
Macromedia
Adobe
Once the user enters the name ‘MonaRonaDona’ into an Internet search engine, some of the top search results will be the “cure” that the malware. This fake cure is most conveniently created in order to solve the problem and charge US$39.90 for it.
Currently top search engine results highlight the fact that this is a scam and warn victims against downloading the Trojan author’s application created to remove the malware, which costs US$39.90. The website which provides it, Unigray, is down at this moment. While the software does in fact remove the MonaRonaDona Trojan – it is the ONLY malware it removes, despite the fact that it (falsely) reports to have cleaned over 200 other threats. These threats appear to have been randomly selected from the Symantec threat database.
Not surprisingly, the domain unigray.com was only registered on Feb 20 this year – and yet the product claims to detect 679,871 threats.
Symantec antivirus products detect MonaRonaDona as Trojan.Monagray and the Unigray software as misleading application “Unigray”.
More on CyberInsecure:
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.