Check Raised’s RBCalc.exe Online Poker earnings calculator has the Backdoor.Win32.Small.la (Small.la for short) rootkit trojan hiding in it according both to online security company F-Secure, and Check Raised itself.
F-Secure explains that “Small.la is a spying trojan that targets several online poker games. It was distributed from a website checkraised.com using a trojaned Rakeback calculator application (RBCalc.exe). The trojan hides itself using rootkit techniques.” Once running, it monitors your accounts at several online poker sites, allowing the programmer behind the trojan to steal your poker account money – often by simply making it look like you played some losing hands, so you’ll never suspect something is amiss if you don’t pay really close attention to your accounts.
According to Check Raised, the trojan was slipped into its RBCalc.exe program by a programmer who worked on the program, which Check Raised began offering nearly sixth months ago, in December of 2006. Check Raised said that because the trojan was undetectable by many popular anti-virus programs, they had no idea about it until a third party brought it to their attention recently.
Check Raised goes on to say that “If you have ever used rbcalc please read the following to check if the malicious software is on your machine and how to remove it. This virus could also come bundled with other poker applications, so please read the following even if you have never heard of rbcalc.”
When you run RBCalc.exe, Backdoor.Win32.Small.la silently copies four files into your Windows system directory. These files are:
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are VERY appreciated! Receipts will come from ISIPP.
utlsrv.exe
comclg32.dll
d3dclsrv.dll
ndsdavsrv.sys
It then runs utlsrv.exe and begins spying all all of these applications:
PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe
Check Raised has instructions for finding and removing Small.la here.
The Internet Patrol is completely free, and we don't subject you to ads or annoying video pop-ups. But it does cost us out of our pocket to keep the site going (going on 20 years now!) So your tips via CashApp, Venmo, or Paypal are appreciated!
Receipts will come from ISIPP.