Monagrey Win32 trojan modifies IE start page Trojan.Monagray Trojan.Win32.Monagrey.a (KAV)
Overview -
Monagrey is a trojan which modifies IE start page and prevents common applications from running.
Aliases
* Trojan.Monagray (Symantec)
* Trojan.Win32.Monagrey.a (KAV)
Characteristics -
-- Update March 4, 2008 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention.
Monagrey is a trojan which modifies IE start page and prevents common applications from running.
It will modify the following registry key to run at startup:
HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows: "%LOCATION%\SRVSPOOL.exe"
(where %LOCATION % is the location of the folder where it resides e.g. C:\)
Upon reboot, the trojan will display a pop up window.

It will change IE start page to point to the following URL:
* http://en.wikipedia.org/wiki/Human_rights
and also prevent applications with the following names in their title bar from running:
* Date And Time
* Windows Task Manager
* Registry Editor
* Irfanview
* Google Talk
* Macromedia
* Adobe
* Microsoft Visual
* Windows Media Player
* Winamp
* Microsoft Office
* Microsoft Excel
* Microsoft Word
* Messenger
Symptoms -
* Unexpected termination of previously mentioned applications
* Modification of IE start page to previously mentioned URL.
Method of Infection -
Trojans do not self-replicate. They spread manually, often under the premise that the executable is something beneficial. Trojans may also be received as a result of poor security practices, or un-patched machines and vulnerable systems. Distribution channels include IRC, peer-to-peer networks, email, newsgroups postings, etc
Removal -
All Users:
Use specified engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations