Check Raised RBCalc.exe Online Poker Calculator has Money-Stealing Small.la Trojan On Board

The Internet Patrol default featured image
Share the knowledge

Check Raised’s RBCalc.exe Online Poker earnings calculator has the Backdoor.Win32.Small.la (Small.la for short) rootkit trojan hiding in it according both to online security company F-Secure, and Check Raised itself.

F-Secure explains that “Small.la is a spying trojan that targets several online poker games. It was distributed from a website checkraised.com using a trojaned Rakeback calculator application (RBCalc.exe). The trojan hides itself using rootkit techniques.” Once running, it monitors your accounts at several online poker sites, allowing the programmer behind the trojan to steal your poker account money – often by simply making it look like you played some losing hands, so you’ll never suspect something is amiss if you don’t pay really close attention to your accounts.

According to Check Raised, the trojan was slipped into its RBCalc.exe program by a programmer who worked on the program, which Check Raised began offering nearly sixth months ago, in December of 2006. Check Raised said that because the trojan was undetectable by many popular anti-virus programs, they had no idea about it until a third party brought it to their attention recently.

Check Raised goes on to say that “If you have ever used rbcalc please read the following to check if the malicious software is on your machine and how to remove it. This virus could also come bundled with other poker applications, so please read the following even if you have never heard of rbcalc.”

When you run RBCalc.exe, Backdoor.Win32.Small.la silently copies four files into your Windows system directory. These files are:

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

utlsrv.exe
comclg32.dll
d3dclsrv.dll
ndsdavsrv.sys

It then runs utlsrv.exe and begins spying all all of these applications:

PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe

Check Raised has instructions for finding and removing Small.la here.

Get New Internet Patrol Articles by Email!

The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.

CashApp us Square Cash app link

Venmo us Venmo link

Paypal us Paypal link

 


Share the knowledge

Leave a Reply

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.