PIFTS.EXE appears to be a part of a patching application. The executable itself is unencrypted and contains several interesting bits of text such as:
- The ping url is %s PATCH021809DB
One odd thing is that the PIFTS.EXE executable is padded out to precisely 100KB (102,400 bytes) with a string saying "XXPADDINGPADDINGXX" several times. Presumably Symantec have their own reason for making sure that the file is exactly this length.
Some people might say that the way Symantec is deleting posts indicates a cover-up. It is certainly suspicious, but my best guess is that there's a quality control issue here and the PIFTS.EXE process was never meant to be released.
VirusTotal gives it a clean bill of health. ThreatExpert shows that it doesn't do much except call home.