Security → MonaRonaDona "virus"?

I have this virus as we speak. I am going to try and follow your response in safe mode. No I haven't gotten any messages from "UniGray Antivirus".

IT WORKED!!! Thank You!!!

I did all the steps and it worked until the OTMoveIT, it keeps freezing me as well. I am going to wait awhile and try again. i am going to back up all my files still tho as I am having other issues.

Your fix worked. thank you so much. got the link from the Washington Post.

My comp has this virus and it has gotten so bad that it has disabled EVERYTHING!! I can't even get online with it....is there any way to get rid of it without having to access the internet??

Use the script solution, as nothing needs to be downloaded:
»Re: MonaRonaDona "virus"?

I've scanned through this thread and one thing that hasn't popped out is...how did those that got infected do so?

If I missed it...sorry. But it would be interesting to know how the bad guy wound up on infected machines so others won't make the same mistake.

jefe,

See: »Re: MonaRonaDona "virus"?

"We're still researching this" doesn't add much. I was hoping that one or more of the posters in this thread who have been infected might report how they suspect they got bitten.

you could start reading here as to what classical62 posted and then the rest of the thread where two others posted how they were infected.

»Re: MonaRonaDona "virus"?
here is another post by Wayonmyway
»Re: MonaRonaDona "virus"?

Then you can read these links

Monday, March 3, 2008
MonaRonaDona Mystery Solved

Some of these users unfortunately were persuaded over the past week or so to run a version of "RegistryCleaner2008.exe" (afec3d0f13b8f866f2c2eec122024165 for you researchers out there), as can be seen here:

Along with a particular version of "RegistryCleaner2008.exe", came a little friend by the name of "srvspool.exe" and friends. Some of the infection symptoms are somewhat simple and silly compared to other threats we've been researching -- "MonaRonaDona" appears in the Internet Explorer title bar, the "DisableTaskManager" key in the registry is set so users cannot use Ctl+Alt+Del to kill the threat on their system, and "srvspool.exe" appears in the All Users startup folder.

»blog.threatfire.com/

What we know about REGISTRYCLEANER2008.EXE:
»www.prevx.com/filenames/ ··· EXE.html

quote:

---

Well, as we research further into the so-called MonaRonaDona virus, Registry Cleaner 2008, and Unigray Antivirus, we find characteristics common to each executable binary, leading us to believe with a high level of confidence that not only are the binaries from the same group, but they were developed on the same machine.

We performed a forensic investigation of the binaries, and in the Sherlock Holmes style we can say that the author of these masterpieces is a male (possibly Pakistani), who lives in Netherlands and speaks Dutch, in his mid 30-ies, who is a freelance programmer in C++ (MFC/ATL), who is also a soccer fan, wants to study in the U.S. or Pakistan as a Fulbright scholar and likes looking at Maria Ford and Jordon Ladd. Our Mr. X has no permanent job, so he takes the projects from his bosses to build these rogue antivirus solutions and pay his rent. He wants better projects and wants to run his own business. It is his bosses who are the real masterminds behind Unigray Antivirus and MonaRonaDona - not this man himself.

Clues?

Well, the executable was compiled on a Windows box with the Netherlands regional settings using Microsoft Visual Studio 8 and MFC/ATL settings.
MonaRonaDona is likely a word-play with Maradona - M(on)ar(on)adona, whose fans are likely to be in their mid 30-ies and older.
An ELance trace leads us to the web portal where freelance programmers can be hired.
Multiple others litter the files.

It's Elementary, My Dear Watson!

---

»blog.threatfire.com/

Okay guys, my girls computer got this, and all we had to do was restore the computer to a date before the virus was created in your systems! WHOO HOOO free at last

Yep, I think I got the monaronadona from the registrycleanfix2008! And you have to pay for it, which is really what sux! But the registry does have a MBG nd I deleted the srvspool.exe but still have the monaronadona on my internet explorer toolbar! UGG!

i'm wondering if it was from the registry clean fix 2008. That's when I noticed it and someone else mentioned that too.

My brother has this malware on his computer but has Windows 98 ~ I know, old! How can you get rid of it with such an old version of windows?

Thanx brian this worked great! Just think other anti virus will charge up to $100 to fix thanx again.

Windows 98?

Hmmmm.
I am surprised it would have much effect other than change the IE Title bar. The infection is not terribly well written, and seems very XP and Vista dependent on where it locates files.

There may have been some files or folders installed, but I doubt they would be active. It is more likely the Title Bar you are noticing.

See: »support.microsoft.com/kb/176497

Since in the general scheme of things this infection is more annoyance than danger, give it a day or so and manually update your antivirus program definitions, and then do a through scan. It is likely in the next few days this infection will be in your antivirus program database.

I have tried the fixes suggested. When I open the notepad named "KillTrojan.cmd" it does not do anything. I have gone thru the whole sequence 3 times.

Once you create the file in notepad, save it.
Rename the file "KillTrojan.bat" (instead of CMD as the file extension.

Then double click the saved and renamed file.

You may well have to manually remove the entry made to the IE Title Bar when finished: »support.microsoft.com/kb/176497

And I of course do not agree with the footballer angle.
The Monaronadona message was for human rights violation protest. So it is closer to someone who would follow thoughts of Morodo in the word of the song Querido Enemigo (wanted enemy) "Beloved Enemy in peace and let me already now, or na na na." Those fans are alot younger.

»translate.google.com/tra ··· 26sa%3DN

Or, perhaps this Dutch speaking Pakistani just did not know how to spell the pop singer Madonna very well......

(Bolding mine.)(Again, bolding mine.)

I believe you're both wrong (and/or threatfire.com), if it's a Pakistani who wrote it.

Rona-Dona, or Rhona Dhona, is some sort of Pakistani/Indian slang-- for what, I'm not exactly sure, but examples can be found here:

»www.apnicommunity.com/ka ··· ity.html

»entertainment.oneindia.i ··· 706.html

»forum.indya.com/showthre ··· ?t=56424

There are others.
So if in fact it was a Pakistani who wrote it, that would seem to fit more so than any 'Diego Maradona' thing or human rights violation message.

Just a point of trivia, as it would seem to have no actual bearing on anything.

Thank you.

I too found the "Sherlock Holmes" speculation by ThreatFire a bit over the top. But some of the other evidence is fairly strong as to some of the origin of this pest.

The clues of importance are that there is a great deal of commanality in the code for MonaRonaDona, Uni-Gray Antivirus, RegistryCleaner2008; and even odder or perhaps scarier, in a free remover offered at least twice in this thread and posted widely over the Internet for MonaRonaDonaRemover.exe or its packed RAR version.

Well AB this be the message..

»images.kaspersky.com/en/ ··· na_1.png

And Mona does not live in Pakistan..so it must have been
Larry Williams.

»www.msu.edu/~buchan44/boney.html

I have that RemoveMonaRonaDona.exe2856KB and the .rar in a folder..Internal name: FixMalware.exe Version 1.0.0.1 since 2/29...will they be updating it soon?

True enough. Though I'm not sure I see much of a connection to a song in Spanish by an Hispanic composer, other than in possible sentiment-- but similar sentiments have no doubt been expressed in song, film, and writings in many different languages.
But-- it's a mere point of trivia anyway, regardless of what it may refer to, and I suspect those victimized by MonaRonaDona are not overly concerned with what the malware writer may have been thinking whilst composing his piece of . . . 'art'. Either that or "Mona" by Bo Diddley, I suppose, eh?

Or "Mona Mona" by Peter Cetera? Maybe "Mona Lisa" by Nat King Cole?

THANKS MATE, I HAVE GET RID OF THE MONARONADANA VIRUS BUT MY INTERNET EXPLORER IS STILL MESS UP. ONE I OPEN IE, ALOT OF WINDOWS COME UP LATER ASKING ME TO DOWNLOAD MALAWE, SOME OTHER CLEAN UP AND SO ON, THE IE TITTLE BAR READ ADD- ONS-DISABLE. RIGHT NOW ONCE I TRIED TO RESTART MY SYSTEM IT REFUSES TO SHORT DOWN WINDOW, ITS JUST SAYS WINDOW IS SHORTING DOWN FOR MORE THAN 5 HOURSE WITH OUT TURNING OFF AND THE NORTON GO BACK SEEM NOT TO BE WORKING FINE AS WEEL. WHAT COULD BE THE PROBLEM.
DOES ANYONE KNOW WHAT I CAN DO.

From your description, MonaRonaDona was only one of several malware problems you have.

These other issues are not related to MonaRonaDona. The best thing to do would be to follow the prerequisite steps here, and post a new log in the Security Cleanup Forum:
»Security Cleanup FAQ »Mandatory Steps Before Requesting Assistance

I'll double that "hail" and raise you a three cheers!
AB~ I agree with you on this actually "easy" lesson that was learned..I think my light bulb was having a bit of an electrical connection and that's why I did a dumb thing and downloaded that *^&$ virus...I KNOW better than to open email I don't recognize as well as be mindful of what I download...funny thing is I was scolding myself for not listening to my intuitin the other day and then I went ahead and didn't listen and got a pain the the *** for my troubles.
Thank you all again for your time and I will behave myself from now on