Best Antivirus Software is a variant of Win32/FakeVimes - a family of programs that claims to scan for malware and displays fake warnings of "malicious programs and viruses". They then inform the user that they need to pay money to register the software in order to remove these non-existent threats. It may also modify security settings, prevent programs from running, and modify the Hosts file.
Best Antivirus Software is installed by a downloader, wich may also be detected as Rogue:Win32/FakeVimes. This downloads an encrypted copy of the fake scanner, which it decrypts and writes to %common_appdata%\<five random hexadecimal digits>\BA<three random hexadecimal digits>_<four random decimal digits>.exe. An example location for Best Antivirus Software might be %common_appdata%\54fd6\BA3b8_8068.exe. It then launches the fake scanner.
It then creates a registry entry so that this copy is run each time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Best Antivirus Software"
With data: "<location of malware>" /s /d (for example, "%common_appdata%\54fd6\BA3b8_8068.exe" /s /d)
It drops an icon file BAS.ico to the same directory as the copied malware (for example, %common_appdata%\54fd6\BAS.ico)
It also creates empty folders "Quarantine Items" and "BASSys" under the same folder as the original copy of the scanner.
It creates a desktop shortcut at %desktopdir%\Best Antivirus Software.lnk.
It adds an item to Start Menu by creating a file at %startmenu%\Best Antivirus Software.lnk.
It adds an item to the Programs Menu by creating an file at %programs%\Best Antivirus Software.lnk.
It adds an icon to the Quick Launch bar by creating a file at %appdata%\Microsoft\Internet Explorer\Quick Launch\Best Antivirus Software.lnk.
Best Antivirus Software then creates a configuration file in a location such as %common_appdata\BAZUVONHOS\BAUTS.cfg.
Lastly, it creates a number of small junk files in the %userprofile%\Recent directory, which it can report as infected when performing its fake scan. These files are harmless by themselves.
Displays fake scanner
The malware masquerades as an antivirus scanner, and displays a number of windows, dialog boxes and system tray pop-ups in an attempt to convince you that you are infected. This appears to be an attempt to replicate the appearance of Microsoft Security Essentials.