Win32/MonaGray [Threat Name] go to Threat
Win32/MonaGray.A [Threat Variant Name]
Category | trojan |
Size | 2170880 B |
Aliases | Trojan.Win32.MonaGray.a (Kaspersky) |
Trojan.Monagrey (Symantec) | |
Generic.dx.trojan (McAfee) |
Short description
Win32/MonaGray.A is a trojan that hides windows of certain running applications. The trojan uses techniques to entice users to download the Unigray Antivirus application.
Installation
The trojan does not create any copies of itself.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Windows" = "%filepath%.exe"
The following Registry entries are set:
- [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- "Window Title" = "MonaRonaDona"
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
- "DisableTaskMgr" = 1
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
- "SD" = "%variable%"
A string with variable content is used instead of %variable% .
Other information
The trojan hides windows of running processes which contain any of the following strings in their title:
- Adobe
- Date And Time
- Google Talk
- Irfanview
- Macromedia
- Messenger
- Microsoft Excel
- Microsoft Office
- Microsoft Visual
- Microsoft Word
- Registry Editor
- Winamp
- Windows Media Player
- Windows Task Manager
The trojan may display the following message:
The trojan uses techniques to entice users to download the Unigray Antivirus application.
The downloaded programs try to appear to be legitimate and useful.
The goal of these programs is to persuade the user to purchase them.
Some examples follow.
Example [1.] :
Example [2.] :
During the registration of the adware the user may be redirected to one of the following Internet web sites:
- http://www.unigray.com
The trojan creates the following files:
- %programfiles%\Unigray Antivirus\Unigray Antivirus.exe
- %programfiles%\Unigray Antivirus\unins000.dat
- %programfiles%\Unigray Antivirus\unins000.exe
- %programfiles%\Unigray Antivirus\Data\PrgBar.gif
- %allusersprofile%\Desktop\Unigray Antivirus.lnk
- %allusersprofile%\Start Menu\Programs\Unigray Antivirus\Unigray Antivirus.lnk
- %allusersprofile%\Start Menu\Programs\Unigray Antivirus\Unigray Antivirus on the Web.url
- %allusersprofile%\Start Menu\Programs\Unigray Antivirus\Uninstall Unigray Antivirus.lnk
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "Unigray" = "%programfiles%\Unigray Antivirus\Unigray Antivirus.exe"
The following Registry entries are created:
- [HKEY_CURRENT_USER\Software\U_AV13]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Unigray Antivirus_is1]