Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/MonaGray.A is a trojan that hides windows of certain running applications. The trojan uses techniques to entice users to download the Unigray Antivirus misleading application.
Installation
The trojan does not create any copies of itself.

In order to be executed on every system start, the trojan sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "Windows" = "%filepath%.exe"
The following Registry entries are set:
  • [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
    "Window Title" = "MonaRonaDona"
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\System]
    "DisableTaskMgr" = 1
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion]
    "SD" = "%variable%"
A string with variable content is used instead of %variable% .
Other information
The trojan hides windows of running processes which contain any of the following strings in their title:
  • Adobe
  • Date And Time
  • Google Talk


The trojan may display the following message:
The trojan uses techniques to entice users to download the Unigray Antivirus misleading application. The downloaded programs try to appear to be legitimate and useful. The goal of these programs is to persuade the user to purchase them. Some examples follow.

Example [1.] :
Example [2.] :
During the registration of the adware the user may be redirected to one of the following Internet web sites:
  • http://www.unigray.com
The adware creates the following files:
  • %programfiles%\Unigray Antivirus\Unigray Antivirus.exe
  • %programfiles%\Unigray Antivirus\unins000.dat
  • %programfiles%\Unigray Antivirus\unins000.exe
  • %programfiles%\Unigray Antivirus\Data\PrgBar.gif
  • %allusersprofile%\Desktop\Unigray Antivirus.lnk
In order to be executed on every system start, the adware sets the following Registry entry:
  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Run]
    "Unigray" = "%programfiles%\Unigray Antivirus\Unigray
    Antivirus.exe"
The following Registry entries are created:
  • [HKEY_CURRENT_USER\Software\U_AV13]
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Uninstall\Unigray Antivirus_is1]