Network News

X My Profile
View More Activity

The MonaRonaDona Extortion Scam

Online tech support forums are starting to light up over an increasing number of PCs sickened by something called the "MonaRonaDona virus," a piece of malware that threatens to trash host computers. As it happens, MonaRonaDona appears to be a relatively innocuous invader that was created to scare people into purchasing a fake new anti-virus product.

I first read about MonaRonaDona in a discussion thread over at the excellent DSL Reports Security Forum, where members traded tips on removing the bugger. Nobody seems to know how the thing wiggles into infected PCs in the first place, but the one thing that's clear is that this invader's primary purpose is to call as much attention to itself as possible (that kind of behavior is always a red flag, because most modern malware succeeds by being stealthy and unobtrusive). This piece of malware disables a number of programs on the victim's PC, changes the title of each Internet Explorer Window to include its name, and pops up the warning shown in the adjacent screenshot.

According to an analysis by Russian anti-virus maker Kaspersky Lab, MonaRonaDona is noisy because its author is hoping the victim will conduct a Google search for instructions on how to remove it. The second result in a Google search for "monaronadona" is a Digg.com article linking to an anonymous blog entry with instructions on downloading and using a product called "Unigray Antivirus." One blog claims Unigray "is considered the best for removing the monaronadona virus compared to the other spyware / antivirus programs." There are a few other prominent results that sing the praises of Unigray Antivirus, including a YouTube.com video.

What these results won't tell you up front is that Unigray Anitvirus costs $39.90. It also fails to mention what Kasperksy analysts figured out on their own: That while Unigray Antivirus will in fact remove the dreaded MonaRonaDona virus, that is the only piece of malware it is designed to remove.

If you're a victim of this extortion scam, please don't pay up. Several self-help groups have free instructions on how to remove this thing. These instructions over at DSL Reports seem to have helped a number of victims remove MonaRonaDona without problems.

Update, March 8, 4:41 p.m. ET: It looks like MonaRonaDona was built into a number of supposed system optimization tools, such as a program called "Registry Cleaner 2008." Also, security vendor PrevX has published a fascinating blog entry in which they describe how they used clues contained with the virus itself to trace it back to the alleged author, a guy in Pakistan who claims he was hired to construct the thing, and paid to enlist ghostwriters who created fake online "review" articles endorsing Registry Cleaner.

By Brian Krebs  |  March 3, 2008; 6:06 PM ET
Categories:  Latest Warnings  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: An Opera Update And A Farewell to Netscape
Next: The FDIC Computer Intrusion Report

Comments

Yep, it was registrycleaner2008.exe. You can see the first suggestion of registrycleaner here:
http://www.dslreports.com/forum/r20082590-MonaRonaDona-virus

and the first research confirming it here:
http://blog.threatfire.com/2008/03/monaronadona-mystery-solved.html

Posted by: TFuser | March 3, 2008 9:03 PM | Report abuse

my pc is saying that message i want it gone please help me fix my computer from this ad on monaronadona please

Posted by: Gina Johnson | March 4, 2008 3:28 AM | Report abuse

Brian has it right - the "Permalink" for the fix is here:

> http://www.dslreports.com/forum/r20088377-Re-MonaRonaDona-virus

.

Posted by: J. Warren | March 4, 2008 9:38 AM | Report abuse

Is there a version of the removal tool for Mac OSX?

Posted by: TIC | March 4, 2008 10:49 AM | Report abuse

Does it, in fact, even affect Macs?

Posted by: Adam | March 4, 2008 2:53 PM | Report abuse

The "Things Instructions" link in the above article will take you to:http://www.dslreports.com/forum/r20088377-
I struggled with this virus all day.
This solution works. The instructions take some work, but in the end, the virus will be gone.. (MonaRonaDona).
The person who created it is concerned about "human rights", so concerned that it thinks the solution is to hurt other people's human rights..... Unfortunately this is a familiar theme in 2008.
lgorin@comcast.net

Posted by: Larry Gorin | March 4, 2008 2:56 PM | Report abuse

I had downloaded and removed Registry Cleaner 2008 at an earlier date. I got the virus. When I did finally get rid of it I found Registry Cleaner 2008 was STILL part of my start menu. When I removed the virus the startup item "Registry Cleaner" also disappeared!!

Posted by: Randall Kowalke | March 4, 2008 6:20 PM | Report abuse

Used the fix posted by bcastner at www.dslreports.com/forum/r20082590-MonaRonaDona-virus . Works well-just copy the script into notepad, follow his instructions and it is gone with no damage.

Thanks bcastner.

Posted by: JJK | March 4, 2008 6:26 PM | Report abuse

Larry Gorin wrote:
"The person who created it is concerned about "human rights".

It looks like he is a freelance programmer out of the Netherlands looking to pay the rent. He wrote the malware, the registry cleaner, and the phony av scanner all on one system.
http://blog.threatfire.com/2008/03/developing-malware-and-rogueware-on.html

Posted by: TFuser | March 5, 2008 12:57 AM | Report abuse

Use the link below to fix monaronadona in nanosecs!!! I just did mine. Use the free version.

http://rapidshare.com/files/95966868/RemoveMonaRonaDona.exe

Posted by: nikolakisx | March 5, 2008 4:50 AM | Report abuse

Don't download EXE files from an unknown source -- they may have other viruses in them.

Posted by: Jonathan | March 5, 2008 9:26 AM | Report abuse

Thank's for all!I downloaded from Rapidshare and removed this "ignoble"virus:MonaRonaDona

Posted by: Vangeli | March 5, 2008 5:07 PM | Report abuse

I got rid of the message, but on my internet explorer page, on the very top right of the screen, ir says MonaRonaDona. Does this mean I am still infected, if so what van this virus do to you?

Posted by: Ryan | March 5, 2008 5:11 PM | Report abuse

I got rid of the comment. But on the top of my internet explorer page, it says monaronadona, does this still mean I am infected. If so what can this virus do to you?

Posted by: Ryan | March 5, 2008 5:13 PM | Report abuse

THanks for the fix. I was able to rid my PC of this virus MonaRonaDona. Pain in the a-- and again I also down loaded Registry Cleaner 2008 a few days ago. Had a terrible time getting rid of it. Anyway looks like all is okay now. The virus showed up this morning.

Posted by: Harold | March 5, 2008 6:54 PM | Report abuse

Thank you Washington Post.
I used the 'Hijack This' programme from Trend and had the whole thing sorted out within 10mins..Free of charge..
Recommend it to everyone

Posted by: David Cornish..Australia.. | March 5, 2008 10:23 PM | Report abuse

thank you very much,i rit the monaronadona virus following yours orientation.
ths.

Posted by: luis abrante | March 6, 2008 10:04 AM | Report abuse

I followed the remedy re MonaRonaDona and it worked well! Thanks for this. Will add you to my prayer list!

Posted by: Sr. Victoria | March 6, 2008 4:58 PM | Report abuse

Yeah I got hit by it and I run a Mac but the cure doesn't work for me because I don't have a Registry. So I'm back on my SPARC for the time being.

Posted by: Steve | March 6, 2008 6:55 PM | Report abuse

Since the infection vector here is from a "system utility/optimizer" (registry cleaner) downloaded and run by the user, it is quite ironic to propose using another "exe" based utility to clean things up. Didn't we learn the first time?

Another lesson here should be that these system optimizers are not only misleading, but in most cases completely useless and obviously sometimes malicious! The old adage "less is more" applies here. To optimize (and maintain) your system, simply use the built-in system tools (ex. checkdisk, disk cleanup, disk defragmenter, etc.) Run them at least once a month. Another thing to remember, don't put your system into standby or hibernate all the time, because it prevents the system from optimizing itself when idle (Windows XP and newer do this).

Posted by: TJ | March 7, 2008 10:04 AM | Report abuse

The blog below is also a good read regarding these misleading applications and malware in general:

http://msmvps.com/blogs/hostsnews/default.aspx

Don't get fooled. Not all software programs are what they claim to be!

Posted by: Tim | March 7, 2008 12:21 PM | Report abuse

MS MVP Bill Castner's MonaRonaDona Removal Tool (cf. http://www.dslreports.com/forum/r20082590-MonaRonaDona-virus) can be found here: http://aumha.net/viewtopic.php?t=32239

Posted by: Robear Dyer, MS MVP | March 7, 2008 12:35 PM | Report abuse

I've blogged on this and have links to a tech writeup on the issue from Symantec (which includes a set of removal instructions) and a link to a free, online virus scanner so if you think you might be infected with MonaRonaDona, you can find out.

http://marian.symantec.com/blog/index.cfm?logout=1

Marian Merritt, Symantec/Norton

Posted by: Marian Merritt | March 7, 2008 3:35 PM | Report abuse

Task Manager Disablement - RESOLUTION
-------------------------------------

1. Verity that the "Local Group Policy" or "Domain Group Policy" doesn't block you from using

"Task Manager".

1.1 "Local Group Policy"

a. Go to "Start" -> "Run" -> Write "Gpedit.msc" and press on "Enter" button.

b. Navigate to "User Configuration" -> "Administrative Templates" -> "System" -> "Ctrl+Alt+Del Options"

c. In the right side of the screen verity that "Remove Task Manager"" option set to "Disable" or "Not Configured".

d. Close "Gpedit.msc" MMC.

e. Go to "Start" -> "Run" -> Write "gpupdate /force" and press on "Enter" button.

Note: If you are using Windows 2000, please follow KB q227302 instead stage "e".

Using SECEDIT to Force a Group Policy Refresh Immediately
http://support.microsoft.com/kb/q227302/


1.2 "Domain Group Policy"

a. Contact you local IT support team.


2. Verity correct registry settings::

a. Go to "Start" -> "Run" -> Write "regedit" and press on "Enter" button.


Warning: Modifying your registry can cause serious problems that may require you to reinstall your operating system.
Always backup your files before doing this registry hack.

b. Navigate to the following registry keys and verity that following settings set to default:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\]
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DisableCAD"=dword:00000000

c. Reboot the computer.


Posted by: Seshu Kanuri | March 8, 2008 3:06 PM | Report abuse

This is latest:
--------------
Method 1 - Using the Group Policy Editor in Windows XP Professional

Click Start, Run, type gpedit.msc and click OK.
Under User Configuration, Click on the plus (+) next to Administrative Templates
Click on the plus (+) next tSystem, then click on Ctrl+Alt+Delete Options
Find Remove Task Manager in the right-hand pane and double click on it
Choose the option "Not Configured" and click Ok.
Close the Group Policy Window
Method 2: Change the Task Manager Option through the Run line

Click on Start, Run and type the following command exactly and press Enter
REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f

Method 3: Change Task Manager through a Registry REG file

Click on Start, Run, and type Notepad and press Enter
Copy and paste the information between the dotted lines into Notepad and save it to your desktop as taskmanager.reg
------------------------------------
Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"DisableTaskMgr"=dword:00000000
-------------------------------------

3. Double click on the taskmanager.reg file to enter the information into the Windows registry

Method 4: Delete the restriction in the registry manually

Click on Start, Run, and type REGEDIT and press Enter
Navigate to the following branch

HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Policies\ System


In the right pane, find and delete the value named DisableTaskMgr
Close the registry editor


Method 5: Download and Run FixTaskManager program


Click on the following links and download the program FixTaskManager to your Desktop

Main Site

Backup Location

Double-click on the file FixTaskManager on your desktop and run it

Posted by: How To Fix the Task Manager | March 9, 2008 2:47 AM | Report abuse

I just saw "MonaRonaDona" at the top of this page on my IE Window and it scared me for a sec... lol

Posted by: therealjohnmark | March 11, 2008 10:06 AM | Report abuse

I posted this problem yesterday and not it is off the blog...I used Brian's fix...it got rid of the message from MonaRonaDona...and unfroze my Dell Laptop...but still has the internet hijacked....unable to access it and still says MonaRonaDona on the Windows Explorer Name...Please Help ...thanks

Posted by: Mary | April 3, 2008 5:38 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company