Troj/FakeVir-BE pretends to scan the host computer and will always find infections. It then asks the user to pay before pretending to clean the infections that it found.
When Troj/FakeVir-BE is installed the following files and folders are created:
<Desktop>\XP-Shield.lnk
<Temp>\XPShieldSetup.exe
<Start Menu\Programs>\XPShield
<Start Menu\Programs>\XPShield\XP-Shield Web Site.lnk
<Start Menu\Programs>\XPShield\XP-Shield.lnk
<Program Files>\XPShield
<Program Files>\XPShield\INSTALL.LOG
<Program Files>\XPShield\UNWISE.EXE
<Program Files>\XPShield\XP-Shield Web Site.url
<Program Files>\XPShield\XP-Shield.exe
The following registry entry is created to run XP-Shield.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
XPShield
<Program Files>\XPSHIELD\XP-SHI~1.EXE
Registry entries are created under:
HKCU\Software\XPShield
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\XP-Shield
Troj/FakeVir-BE provides an uninstall option which can be accessed via the Add or Remove Programs dialog in the Windows Control Panel. The software is listed as "XP-Shield".