Aliases: Win32/Mona, Virus.Win32.HLLW.Mona, Win32.HLLW.Mona, W32/Mona.worm, Win32.HLLW.Mona.24576
Variants: W32/Mona-A, Win32/HLLW.Mona.B, PE_MONA.A, Win32:Mona, Win32/Mona 

Classification: Malware
Category: Trojan Horse

Status: Inactive
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 01 Feb 2001
Damage: Medium

Characteristics: The W32.Mona is a Trojan program that can delete files located in the A:\ drive. It can copy its code to the infected system. This Trojan also has backdoor capabilities which can be used by its remote master for a variety of purposes. These purposes include downloading or destroying important data, modifying the registry, terminating currently running processes and including the compromised system in bot networks.

More details about W32.Mona

Once this Trojan is run in the compromised system, it will copy its code to the system and then configure the registry by adding a value to a registry key so that it will execute when Windows starts. It will then go on to delete all files stored in A:\ and the copy itself as a file with the bmp.exe file extension. Backdoor Trojans like the W32.Mona malware are the most widespread and most malicious type of Trojans. This Trojan can act as remote administration tools that can open compromised machines to remote control via the Internet or LAN. It works very similarly to legitimate remote administration tools utilized by system administrators which make it very hard to detect. The only dissimilarity between the Trojan and the legitimate remote administration tool is that the Trojan is installed and executed without the user’s consent and knowledge.

The W32.Mona Trojan is also known to keep track of the local system’s diagnostics. It can also be used by remote hackers to send and receive files, execute files, launch and delete files, delete system critical data, display notifications (which are usually false) and reboot the computer system. This Trojan’s infection can be removed manually. First, users have to turn off the System Restore function of PCs running on Windows XP or ME. Next, open the Windows Task Manager and then locate the Trojan’s active process. Once found, terminate the process and then exit the Task Manager. Go on to search for all the Trojans dropped files and then delete them. Lastly, edit the registry to undo the changes that the Trojan made.