"Win32/FakePAV" is a rogue that displays messages that imitate Microsoft Security Essentials threat reports in order to entice the user into downloading and paying for a rogue security scanner. The rogue persistently terminates numerous processes such as Windows Registry Editor, Internet Explorer, Windows Restore and other utilities and apps.
This fake is distributed by a tactic commonly described as a "drive-by download" and shows up as a hotfix.exe or as an mstsc.exe file. Additionally, after the fake MSE software reports it cann't clean the claimed malware infection, it offers to install additional antimalware rogues (with names such as AntiSpySafeguard, Major Defense Kit, Peak Protection, Pest Detector and Red Cross). Lastly, this fake program will try to scare you into purchasing a product.
And now onto a detailed look at FakePAV. While different FakePAV distributions have different payloads, here's how the current one imitating MSE works:
- It modifies system so that it runs when Windows starts
- When you go to execute something it's watching for, it opens the alert window claiming the program is infected and blocks it from running.
- You can expand it out for "additional details"
- If you click "Clean computer" or "Apply actions", it simulates an attempt to clean claimed infection
- You'll then get an "unable to clean" alert and be instructed to click "Scan Online"
- Clicking this, a list of antimalware programs appears, including several fake removal tools, and you'd need to click Start Scan
- Once simulated scan completes, it'll claim a solution was found and list products that can "clean the system (the listed products are fake removal tools).
- Clicking "Free install" on one of those downloads will download its installer and start installing
More Info: FackePAV