When rogue security software uses multiple different names for itself, it's not especially noteworthy. After several months of calling themselves "Antivirus 8", recent variants of Rogue:Win32/FakeXPA have begun going by the name of "AVG Antivirus 2011."
When it's first installed, FakeXPA places a copy of itself named iesafemode.exe into the system directory. It then creates a registry entry to set iesafemode.exe as the debugger for a number of common web browsers, including IE, Firefox, Opera, Chrome, and Safari. This registry entry is normally used by software debuggers. Its effect is that when a user attempts to run the program in question, a copy of the debugger will be launched instead, with the name of the program to be run passed to the debugger as a command line parameter. This allows the debugger to launch the program in question and begin debugging it.
In this case, when a user attempts to launch any of these browsers, a copy of the malware will be run instead. Renaming the browser's executable and running this instead allows it to be launched without interference from the malware.
When the user visits a web page using this interface, it may be downloaded and rendered using the IE libraries. But if the user attempts to visit a site that has been blacklisted by FakeXPA, such as a security-related site, it'll display the following instead:
Notice how it changes the content of the address bar in an attempt to mislead the user into believing that the site had been blacklisted by Microsoft.
[tags]rogue software,debugger,web browser,fakexpa,avg,antivirus,anti-virus[/tags]