Panda Software Labs has detected the appearance of Zcodec, a new malicious program which incorporates a rootkit. It also alters Internet search results and installs other malicious codes. Zcodec is included in a program that supposedly installs codecs needed to play a certain multimedia format. When users are about to install this application, a user license window is displayed. However, no codec is installed, and the program does not wait for users to accept or reject the license agreement, as when they click on the downloaded file, Zcodec is installed on the computer.
Once installed, a rootkit (a program designed to hide processes, files or registry entries) is installed. Zcodec installs two executable files. The first modifies the DNS settings so that when a user clicks on results from search engines (such as Google), a different page is displayed.
This tactic is exploited by the programs creators to profit from pay-per-click systems, or even to redirect users to pages designed to steal confidential data.
The second executable can have one of two executed at random. In some cases it installs the Ruins.MB Trojan. This is designed to download other malicious programs on the system.
On other occasions, the file continually launches a casino application, asking for the user’s permission for install. However, even if the user rejects installation of the program, an icon is created on the Windows desktop which when clicked, will prompt installation.