This threat is a file that is used to download rogue security software programs that we detect as Win32/FakePav.
It is a .vbe file that is encoded with Visual Basic script (VBS).
When run, the file tries to connect to a predefined server that is encoded in the file, hence the server changes between versions. It tries to download a file from the server, which it saves to the %TEMP% folder as a .exe file.
We have seen it download setup.exe.vbe from the following servers and files: