Check Raised RBCalc.exe Online Poker Calculator has Money-Stealing Small.la Trojan On Board

The Internet Patrol - Patrolling the Internet for You

 

Check Raised’s RBCalc.exe Online Poker earnings calculator has the Backdoor.Win32.Small.la (Small.la for short) rootkit trojan hiding in it according both to online security company F-Secure, and Check Raised itself.

F-Secure explains that “Small.la is a spying trojan that targets several online poker games. It was distributed from a website checkraised.com using a trojaned Rakeback calculator application (RBCalc.exe). The trojan hides itself using rootkit techniques.” Once running, it monitors your accounts at several online poker sites, allowing the programmer behind the trojan to steal your poker account money – often by simply making it look like you played some losing hands, so you’ll never suspect something is amiss if you don’t pay really close attention to your accounts.

According to Check Raised, the trojan was slipped into its RBCalc.exe program by a programmer who worked on the program, which Check Raised began offering nearly sixth months ago, in December of 2006. Check Raised said that because the trojan was undetectable by many popular anti-virus programs, they had no idea about it until a third party brought it to their attention recently.


Check Raised goes on to say that “If you have ever used rbcalc please read the following to check if the malicious software is on your machine and how to remove it. This virus could also come bundled with other poker applications, so please read the following even if you have never heard of rbcalc.”

When you run RBCalc.exe, Backdoor.Win32.Small.la silently copies four files into your Windows system directory. These files are:

utlsrv.exe
comclg32.dll
d3dclsrv.dll
ndsdavsrv.sys

No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:
Get notified of new Internet Patrol articles for free!

It then runs utlsrv.exe and begins spying all all of these applications:

PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe

Check Raised has instructions for finding and removing Small.la here.

 
No Paywall Here!
The Internet Patrol is and always has been free. We don't hide our articles behind a paywall, or restrict the number of articles you can read in a month if you don't give us money. That said, it does cost us money to run the site, so if something you read here was helpful or useful, won't you consider donating something to help keep the Internet Patrol free?
Click for amount options
Other Amount:
What info did you find here today?:

Follow Anne

Leave a Reply

Your email address will not be published. Required fields are marked *