Malware license agreement tells it straight
You normally need a law degree and the patience of Job to make sense of End User License Agreements (EULAs).
These seldom-read legal screeds have a reputation for being both hard to fathom and often one-sided in protecting the rights of software suppliers. So it's refreshing to find an agreement that gets straight to the point without wasting users' time scrolling down through something they aren't going to read anyway.
hotelcodec.com says it like it is.
A license agreement for a malware-bundled codec from hotelcodec.com simply says: "FUCK YOU".
We're indebted to Stopbadware.org, a "Neighbourhood Watch" campaign aimed at fighting malware for bringing this example of plain English to our attention. "While we appreciate hotelcodec.com's concise EULA, we don't suggest that users install their codec on their machines," Stopbadware.org advises.
Hotelcodec.com connects to a site called tvcodec that prompt users to download a "codec" that supposedly improves video and audio quality. The hotelcodec1000.exe application offered up contains the Zlob Trojan (AKA DNSChanger), as confirmed by tests we carried out at VirusTotal (see screen shot here).
Anti-virus detection is patchy for now, but the site is well on its way to being blacklisted by security services such as McAfee SiteAdvisor, as you can see here. ®
You have my sympathies. I relish the thought of those developers finally being forced to face reality someday (or fired). If you haven't already done so, you might see if Software Restriction Policy has something to offer you on WinXP and Vista clients:
I would SO love to have non-Administrator user accounts, but unfortunately developers still exist that think "All my user-base are belong to Administrators" (sorry) - especially in the niche market of Healthcare.
I find myself asking every day "why does your crappy little database NEED the user to have God-like power over their desktop?" It's very disillusioning...
Zlob is not DNSChanger, and furthermore...
The EULA shown here is not the one that an end user would see if he were suckered into installing running the hotelcodec Trojan from an actual affiliate site. It's just the EULA you see if for some reason you go straight to hotelcodec.com and download the dummy file like a newbie. ;)
The "real" hotelcodec.com Trojans are DNSChanger. Zlob is not "aka DNSChanger"; they are different families, although the tactic used to get users to run them is the same.
As for hotelcodec.com being blacklisted, it is already more than halfway through its lifecycle (the Zlob and DNSChanger gangs typically rotate the hosting domains out after just a few days), and SiteAdvisor's glacial 2-4 week reaction time is far too slow to be much use against current "live" Zlob and DNSChanger domains. Too little, too late. I specialize in doing SiteAdvisor reviews on Zlob and DNSChanger, so this is a bit frustrating ;)
The best blanket defense against these Trojans, aside from user education, is the one that's free, doesn't need definiton updates, and is already sitting there waiting to be put into effect: non-Administrator user accounts. http://www.mechbgon.com/security2.html