Win32/MonaGray [Threat Name] go to Threat

Win32/MonaGray.A [Threat Variant Name]

Category trojan
Size 2170880 B
Aliases Trojan.Win32.MonaGray.a (Kaspersky)
  Trojan.Monagrey (Symantec)
  Generic.dx.trojan (McAfee)
Short description

Win32/MonaGray.A is a trojan that hides windows of certain running applications. The trojan uses techniques to entice users to download the Unigray Antivirus application.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Windows" = "%filepath%.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Main]
    • "Window Title" = "MonaRonaDona"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "DisableTaskMgr" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion]
    • "SD" = "%variable%"

A string with variable content is used instead of %variable% .

Other information

The trojan hides windows of running processes which contain any of the following strings in their title:

  • Adobe
  • Date And Time
  • Google Talk
  • Irfanview
  • Macromedia
  • Messenger
  • Microsoft Excel
  • Microsoft Office
  • Microsoft Visual
  • Microsoft Word
  • Registry Editor
  • Winamp
  • Windows Media Player
  • Windows Task Manager

The trojan may display the following message:

The trojan uses techniques to entice users to download the Unigray Antivirus application.


The downloaded programs try to appear to be legitimate and useful.


The goal of these programs is to persuade the user to purchase them.


Some examples follow.


Example [1.] :

Example [2.] :

During the registration of the adware the user may be redirected to one of the following Internet web sites:

  • http://www.unigray.com

The trojan creates the following files:

  • %programfiles%\­Unigray Antivirus\­Unigray Antivirus.exe
  • %programfiles%\­Unigray Antivirus\­unins000.dat
  • %programfiles%\­Unigray Antivirus\­unins000.exe
  • %programfiles%\­Unigray Antivirus\­Data\­PrgBar.gif
  • %allusersprofile%\­Desktop\­Unigray Antivirus.lnk
  • %allusersprofile%\­Start Menu\­Programs\­Unigray Antivirus\­Unigray Antivirus.lnk
  • %allusersprofile%\­Start Menu\­Programs\­Unigray Antivirus\­Unigray Antivirus on the Web.url
  • %allusersprofile%\­Start Menu\­Programs\­Unigray Antivirus\­Uninstall Unigray Antivirus.lnk

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Unigray" = "%programfiles%\­Unigray Antivirus\­Unigray Antivirus.exe"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­U_AV13]
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Uninstall\­Unigray Antivirus_is1]

Please enable Javascript to ensure correct displaying of this content and refresh this page.