The user receives messages of false infection on his computer in order to make him activate (buy) the fake antivirus product. The rogue antivirus resembles the program suite from the operating system and on the installation of the malware the user can notice the following image :
Also the malware creates the following file %CommonAppData%\[RandomString]\[RandomString].exe. Another noticeable sign of infection is the folder %AppData%\Enterprise Suite.
* A typical path for %CommonAppData% is C:\Documents and Settings\All Users\Application Data.
* A typical path for %AppData% is C:\Documents and Settings\[UserName]\Application Data.
The malware is a fake antivirus product which relies on pop-ups with false detection on the system, forcing the user to buy the annoying software to get rid of infections that aren't there.
When installed the picture shown above appears, immitating the operating system's programs. It makes a copy of itself in the %Temp% folder ( ex : C:\Documents and Settings\[UserName]\Local Settings\Temp ) and creates a folder %CommonAppData%\[RandomString] in which it stores the rogue antivirus.
The malware modifies the hosts file (%System%\drivers\etc\hosts) which redirects each entry of the site mentioned bellow to a known search engine webpage. The modified entries are :
It creates a startup registry value "Enterprise Suite" in the key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run in order to run every time the operating system starts.