Trojan.FakeaAV.PIS2011 is a polymorphic Rogueware that when executed performs the following activities:
After execution, it drops the following files:
C:\Documents and Settings\All Users\Application Data\9994af\PI999_231.exe C:\Documents and Settings\[user]\Start Menu\Programs\Personal Internet Security 2011.lnk C:\Documents and Settings\[user]\Start Menu\Personal Internet Security 2011.lnk C:\Documents and Settings\[user]\Desktop\Personal Internet Security 2011.lnk C:\Documents and Settings\[user]\Application Data\Microsoft\Internet Explorer\Quick Launch\Personal Internet Security 2011.lnk
It creates the following registry entry:
HKU\Software\Microsoft\Windows\CurrentVersion\Run Personal Internet Security 2011: ""C:\Documents and Settings\All Users\Application Data\9994af\PI999_231.exe" /s /d"
After execution, it displays fake threat messages and forces a user to purchase the software in order to remove the fake threats:
