Win32/FakePowav is a family of rogues.
This rogue might be known by several names like AVDefender, WinXDefender, WinXProtector, SpyGuarder, Security 2009 and so on. The packaging (or "branding") for this rogue might change but the underlying program remains the same.
One notable branding for this rogue is a fake version of the Microsoft Malicious Software Removal Tool (MSRT).
Installation
Fake MSRT
When run, Win32/FakePowav.B copies itself to your PC as:
It might also create the following non-malicious files as part of its installation routine:
Security 2009
Win32/FakePowav is installed by an installer that might look like this:
The installer creates folders with a name like Security 2009, as in the following example:
The installer might drop files like these:
It changes the system registry so that it runs every time Windows starts:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Security 2009"
With Data: "%USERPROFILE%\Application Data\Security2009.exe"
It also creates the following registry change as part of its installation routine:
In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\Security 2009.exe
Sets value: "(default)"
With data: "%USERPROFILE%\Application Data\Security2009.exe"
Some variants of Win32/FakePowav drop shortcut files on your desktop, like these:
Payload
Displays false alerts
Fake MSRT
Win32/FakePowav.B displays the following message:
If you click on the alert, this threat opens a fake MSRT scan window that might look like:
At this time it enumerates and opens files and registry keys to make it appear that it is scanning; however, it does not read any data from the files or registry keys. When it's finished, it displays the following dialog:
Clicking Back starts the fake scan again. Clicking Finish displays the following:
while clicking Cancel closes the window but displays this popup from the icon in the system tray:
Clicking this popup message also displays the OEM Purchase Center displayed previously.
Clicking any of the Purchase buttons on the OEM Purchase Center page lets your browser open to a shopping webpage in oem-micro-store.com.
The file Security Center.exe shows a fake Windows Security Center interface.
This shows the same information regardless of your PC's actual firewall, automatic updates and virus protection status. Clicking on the Recommendations button also launches the browser to display a page from oem-micro-store.com.
Security 2009
Once installed in your PC, Win32/FakePowav displays false reports of malware infection, even on a PC that has no malware, for example:
Win32/FakePowav might display pop-ups as in the following examples: