When the malicious file is executed, a message box like this one opens up:
Clicking on the "OK" button - or even on the "Close" button - starts the installer of the antivirus in question. Symantec researchers reveal that the fake solution searches for uninstaller information in the Windows registry and launches the right uninstaller for certain legitimate AV solution installed on the system, such as products from Microsoft, AVG, Symantec, Spyware Doctor, and Zone Labs.
It then tries to download "AnVi Antivirus", another rogue AV that is actually a clone of CoreGuard Antivirus.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.