Security

Unraveled: Elaborate malware scheme scams users into parting with cash

If you see a computer being infected with a "MonaRonaDona virus," you might be interested to know that this "virus" has been making its rounds the past week. Its purpose? To get you to part with your money.

If you see a computer being infected with a "MonaRonaDona virus," you might be interested to know that this "virus" has been making its rounds the past week.

According to the security researchers over at Kaspersky, the MonaRonaDona virus is actually a custom software and is part of an elaborate scam to sell fake antivirus software. Ironically, its role in the scheme of things is to panic the users into taking action to eradicate it.

Excerpt from ComputerWorld:

Unlike most viruses and Trojans which try to go about their evil task as invisibly as possible, the MonaDonaRona Trojan displays a broadly visibly message in front of the victim. It says, "Welcome to MonaRonaDona. I am a Virus & I am here to wreck your PC. If you observe strange behavior with your PC, like program Windows disappearing, etc., it's me who's doing this." The message claims it's all part of a human rights protest.

According to Kaspersky Lab researcher Roel Schouwenberg, this is the part where it gets interesting. Apparently, if you search the Web to find out more about this "virus," you will find a whole bunch of Web pages with bogus stories and commentary recommending certain antivirus tools to get rid of it.

One such site I visited listed the usual antivirus products, but it inserted an antivirus product at the top of the list that I have never heard of before -- a product called Unigray that's available from the Unigray.com Web site for about US$39.00.

Below is the screenshot of one of the sites that I Googled. I'm not going to increase the ranking of this (and other such) site further by linking to them - so feel free to Google them on your own.

monaronadona2.jpg

This is certainly not the first time that such schemes have been uncovered. In August of 2007, I covered news of a government-headed crackdown in South Korean on antispyware products being sold that are, in some cases, even harder to remove than real spyware.

However, MonaRonaDona might be unprecedented in terms of its reliance on social engineering and perhaps sheer scale in the number of Web pages designed to shepherd victims towards parting with their cash. In fact, I even saw a YouTube video promoting it! (Links deliberately omitted)

The bottom line: Clean computers with software from valid antivirus vendors.

Do you think MonaRonaDona is the first of a new wave of "for-profit" malware?

About

Paul Mah is a writer and blogger who lives in Singapore, where he has worked for a number of years in various capacities within the IT industry. Paul enjoys tinkering with tech gadgets, smartphones, and networking devices.

15 comments
BALTHOR
BALTHOR

The Commodore was illegally altered,in essence,to believe a lie.I have seen a 0=1 pop up.In today's computers they could only be run in a chip and not in Windows.In other words you would see the program on your drive after it ran in the BIOS.I think that there are many legitimate programs saved in the BIOS.They could even be high voltage flashed in,couldn't be erased,programs.An example would be a virus scanner.

wayoutinva
wayoutinva

I dealt with 3 different variations of this last week and it took 3 different methods to remove it. And they were all hawking a different anti-virus program for you to buy. Nasty little bugger it was to. Got right past the ani-virus programs that were running.

Dr Dij
Dr Dij

while it doesn't ask for money - it just takes over your PC, it is being downloaded by drive-by websites and almost impossible to detect http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9066585&intsrc=hm_list

Kany1221
Kany1221

This one came up, acted like it was doing a scan, gave a list of viruses and bad files, and offered to fix them for about $79 USD. This one has been around for a few years, I learned. AVG did not recognize it. The workaround, other than reverting to a previous backup, is to enter their key: 64C665BE-4DE7-423B-A6B6-BC0172B25DF2. Delete its blue shield logo from your start menu and your task bar. Search for nkqns.exe and get rid of it. Do several registry scans after you reboot - several times.

seanferd
seanferd

So this is a new "production" version, it seems. RTMed, indeed.

JCitizen
JCitizen

Just re-install the operating system?

wayoutinva
wayoutinva

Like Adwarw, Spybot, AVG anti-spyware etc. That thankfully worked. For one of them I found a removal tool specific to that little bugger when the usual software couldnt find it. I googled the webites they were pointing to, to find out the specific files I needed to look for, and went from there

JCitizen
JCitizen

I know she tried all the rest. She's just going to have to Google it for that bug and hope she finds a reputable site to get a tool from. I'll relay that information - I appreciate it wayoutinva.Its hard to gauge a situation when you can't VNC in to do any good.

paulmah
paulmah

Do you think MonaRonaDona is but the first of a new wave of ?for-profit? malware?

armstrongb
armstrongb

I was offered the chance to buy something called Windows Vista Ultimate. It was supposed to have all kinds of tools, graphics and capabilities that regular Vista did not. Silly me, I paid the extra hundred bucks and all I got was....errr...Vista. Cheers!

fatman65535
fatman65535

ROF-LMAO!! I guess you did not know that M$ stood for "Malware Society".

JCitizen
JCitizen

Most people far for simple blackmail scripts that simple try to get them to click on something to "fix" their computer. Nothing elaborate about it, and highly effective, unfortunately.

Tony Hopkinson
Tony Hopkinson

That trick has been going around for ages, is one form or another. As soon as the big boys add it to their list it's gone. Any one with no AV at all that would think about switch to this, instead of contacting their current provider and saying "OY", has got bigger problems anyway.

murfish2003
murfish2003

Indeed this trick HAS and IS doing the rounds but don't bother contacting your ISP if you deal with the largest and oldest ISP in Ireland. Their variation of it is to let ALL spam, scam and phishing mails through and then offer you a subscription service to block them...ethical or what??