The window shown below appears when the user executes the malware. It is a warning window, as the user is about to install malware on the machine.
Appeareance of the following files :
%CommonAppData% is the application data for all users. For example : C:\Documents and Settings\All Users\Application Data.
%Desktop% refers to desktop of the user. For example : C:\Documents and Settings\[UserName]\Desktop.
%Programs% refers to the user's program groups. For example : C:\Documents and Settings\[UserName]\Start Menu\Programs.
The fake antivirus tries to trick the user into registering the product by giving notices of false detections, more and more at each so called scan. Once on the machine it delivers pop-ups with system problems and fake infections.
It copies itself in %CommonAppData%\[random number]\[random number].exe and removes the original file from which it was installed.
It modifies the following key value in order to run every time Windows starts : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run - [ RandomNumer ] which points to the copy made in the %CommonAppData%.
It takes a more aggresive attitude in order to persuade the user of the danger the system is in by removing the desktop wallpaper (registry value : HKEY_CURRENT_USER\Control Panel\Desktop ["Wallpaper"] ) and blocking most application and showing a pop-up of a made-up infection.
Other simmilar pop-ups and the difficulty of closing the application have the same target.