Trojan:Win32/Monroda.gen!A is a generic detection for a trojan that may alter the Internet Explorer Web browser title to "MonaRonaDona", terminate applications and display a message to the user announcing its presence.
Installation
When executed, this trojan may drop a copy of itself as '<system folder>\SRVSPOOL.exe'. Next, Win32/Monroda may modify the registry to run its copy at each Windows start:
Adds value: Windows
With data: "<system folder>\SRVSPOOL.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Payload
Closes Applications
Win32/Monroda may close all applications that have one of the following character strings in their window title:
- Date And Time
- Windows Task Manager
- Registry Editor
- Irfanview
- Google Talk
- Macromedia
- Adobe
- Microsoft Visual
- Windows Media Player
- Winamp
- Microsoft Office
- Microsoft Excel
- Microsoft Word
- Messenger
Disables Windows Task Manager
Win32/Monroda may disable Windows Task Manager by changing registry data.
Modifies value: DisableTaskMgr
With data: "1"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System
Changes Internet Explorer Window Title
Win32/Monroda may change the window title of Internet Explorer by altering registry data.
Modifies value: "Window Title"
With data: "MonaRonaDona"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main
Displays Message
Win32/Monroda may display a message dialog box containing some of the following text:
I am a Virus
I am here to Wreck Your PC. If you observe strange behavior with your PC, like program windows disappearing etc, it's me who is doing all this. I was created as a protest against the Human Rights Violation being observed throughout the world && the very purpose of my existence is to remind
stress the world to respect humanity
Analysis by Dan Nicolescu
