Check Raised RBCalc.exe Online Poker Calculator has Money-Stealing Small.la Trojan On Board   5/20/2006 - 1,292 views,

F-Secure explains that “Small.la is a spying trojan that targets several online poker games. It was distributed from a website checkraised.com using a trojaned Rakeback calculator application (RBCalc.exe). The trojan hides itself using rootkit techniques.” Once running, it monitors your accounts at several online poker sites, allowing the programmer behind the trojan to steal your poker account money - often by simply making it look like you played some losing hands, so you’ll never suspect something is amiss if you don’t pay really close attention to your accounts.

According to Check Raised, the trojan was slipped into its RBCalc.exe program by a programmer who worked on the program, which Check Raised began offering nearly sixth months ago, in December of 2006. Check Raised said that because the trojan was undetectable by many popular anti-virus programs, they had no idea about it until a third party brought it to their attention recently.

Check Raised goes on to say that “If you have ever used rbcalc please read the following to check if the malicious software is on your machine and how to remove it. This virus could also come bundled with other poker applications, so please read the following even if you have never heard of rbcalc.”

When you run RBCalc.exe, Backdoor.Win32.Small.la silently copies four files into your Windows system directory. These files are:

utlsrv.exe
comclg32.dll
d3dclsrv.dll
ndsdavsrv.sys

It then runs utlsrv.exe and begins spying all all of these applications:

PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe

Check Raised has instructions for finding and removing Small.la here.