MonaRonaDona may be far from the thought of a wild combination of popular women paintings than initially thought, but this nifty little malware has been making headlines in security Web sites for the last couple of days, bringing to light the latest “artistic” persuasion only a social engineer scammer will attempt to pull off.

The exact source of the malware remains unclear, but some security analysts surmise that this threat comes packaged with “system optimization tools” available for free on the Internet. However, our analysts are also inclined to believe that this threat arrives on computers that are already infected, specifically those that are already part of a botnet. The malware remains inactive (and impervious to detection) until users restart their systems. Mona then displays a message upon startup, aiming to introduce itself to the user and at the same time pique his/her interest:

Through the years, it has become natural for computer-savvy users to start looking for solutions or a cure for malware once they get their systems inadvertently infected over the Web. Thus, this natural human response becomes an opportunity for social engineers to exploit. Researchers have found out that keying in “MonaRonaDona” in a search engine (i.e. Yahoo!, Google) would result to a list of Web sites pointing to several references and discussions about a cure for the MonaRonaDona strain. The sites include YouTube video sites and Web forums. Not that Mona is quite popular at that side of cyberspace, but further investigation reveals that these sites were also the doing of the malware writers.

In a sample article that turned up in the searches, for instance, an antivirus software known as the Unigray Antivirus was mentioned, which claims to scan and detect 679,871 threats, including the MonaRonaDona strain. Though detecting and cleaning the said strain was true, investigation results disputed the fact that Unigray can also (supposedly) detect and clean the remaining 679,870. Furthermore, the Web site where Unigray was housed had only been up in the Web for a couple of weeks, which would probably make anyone think twice before actually purchasing the product. One can assume that most likely, the people behind MonaRonaDona were also the same people who developed Unigray.

Trend Micro detects MonaRonaDona as TROJ_MONAGRAY.A. The following component files are also detected:

• RegistryCleaner2008.txt (1,990,711 bytes) – detected as ADW_REGCLEAN.A (TMASY detection is Adware_RegClean)
• unigray_antivirus.txt (1,377,566 bytes) – detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
• Unigray Antivirus.txt (6,721,536 bytes) – detected as ADW_UNIGRAY.A (TMASY detection is Adware_Unigray)
• SRVSPOOL.txt (2,170,880 bytes) – detected as TROJ_MONAGRAY.A

One can not help but feel a little impressed as to how much social engineering has “come of age.” The people behind such acts are nevertheless putting more thought and effort into their new schemes than usual, attempting to make something out of the smallest opportunities for profit. Social engineering is really no small business, as users are still found to fall prey to its lures.

Trend Micro advises users to be more wary of new social engineering techniques being practiced in the wild. Lastly, keep pattern and scan files updated.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!