on a Vista system, it saves itself to
c:\users\[whatever your username is]\app data\Local\Temp\Low
on my computer it named itself 9.525560894510851E8.exe
i use symantec endpoint protection. the virus slipped through far enough to generate the fake message. however, symantec detected it when i ran a quick scan, and told me where it was. i could have used the "delete" option on the scan, but deleted it manually and then emptied my recycle bin.
if you're into techno-gobbledygook, here's a detailed explanation:
http://securityresponse.symantec.com...101013-3606-99