It has been difficult to trace the source of the virus, which calls itself MonaRonaDona, because victims are unaware their machines are infected until they reboot their PCs, Roel Schouwenberg, a senior anti-virus researcher with Kaspersky Lab, told SCMagazineUS.com on Tuesday. Researchers first noted an outbreak last week.
Once they restart, pop-ups begin appearing which claim: “Hi, My name is MonaRonaDona. I am a Virus and I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world & the very purpose of my existence is to remind & stress the world to respect humanity.”
The malware prevents a number of popular applications from opening, including Windows Task Manager, Microsoft Office, Microsoft Word, Adobe, Google Talk and Macromedia, John McDonald, a senior security response manager at Symantec, said on the Security Response blog.
At first glance, it appears the malware amounts to nothing more than a mass-mailing worm reminiscent of those from the late 1990s and early 2000s, whose only goal was to pester users.
“This is unlike the majority of today's malware, which is very stealthy,” Schouwenberg said he initially thought. “It had all the makings of a typical hooligan virus.”
But on further review, Schouwenberg found that entering “MonaRonaDona” into search engines such as Google and Yahoo yields links to web forums and YouTube videos that discuss the malware and claim that an anti-malware solution known as Unigray can remediate the virus.
The web discussions clearly were fabricated by the malware's purveyors, who had banked on victims searching to find out more about the virus, Schouwenberg said. The bogus forums and videos are meant to entice victims to purchase Unigray, which is actually a rogue $40 anti-virus solution that does not work, except to remove MonaRonaDona, Schouwenberg said.
“It's really a mind-blowing social engineering scheme if you ask me,” he said. “It's manipulating the user into searching for MonaRonaDona. They are using Web 2.0 websites, such as Digg and YouTube, to promote their own scheme”
McDonald said the Unigray company falsely claims its product detects 679,871 threats, and it was only registered as a domain on Feb. 20. The site could not be accessed on Tuesday.
Now that the anti-virus community has caught on to the scam and media are reporting on it, search results for Unigray do not rank as high, researchers said.
Businesses, meanwhile, should keep their anti-virus up to date and encourage users to not click on advertisements, Schouwenberg said. Experts believe machines may have been seeded with the virus when users clicked on a rouge ad promoting a “Registry Clean Fix” program – although researchers have been unable to confirm this.