Sometimes people with bad intentions do really dumb things. Is it something to laugh at? Is it something that provokes empathy for the subject?

Well, as we research further into the so-called MonaRonaDona virus, Registry Cleaner 2008, and Unigray Antivirus, we find characteristics common to each executable binary, leading us to believe with a high level of confidence that not only are the binaries from the same group, but they were developed on the same machine.

We performed a forensic investigation of the binaries, and in the Sherlock Holmes style we can say that the author of these masterpieces is a male (possibly Pakistani), who lives in Netherlands and speaks Dutch, in his mid 30-ies, who is a freelance programmer in C++ (MFC/ATL), who is also a soccer fan, wants to study in the U.S. or Pakistan as a Fulbright scholar and likes looking at Maria Ford and Jordon Ladd. Our Mr. X has no permanent job, so he takes the projects from his bosses to build these rogue antivirus solutions and pay his rent. He wants better projects and wants to run his own business. It is his bosses who are the real masterminds behind Unigray Antivirus and MonaRonaDona – not this man himself.

Clues?

Well, the executable was compiled on a Windows box with the Netherlands regional settings using Microsoft Visual Studio 8 and MFC/ATL settings.
MonaRonaDona is likely a word-play with Maradona – M(on)ar(on)adona, whose fans are likely to be in their mid 30-ies and older.
An ELance trace leads us to the web portal where freelance programmers can be hired.
Multiple others litter the files.

It’s Elementary, My Dear Watson!

This entry was posted on Tuesday, March 4th, 2008 at 3:59 pm and is filed under Adware, Rogueware. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.