Every successful gambler knows how to handle a certain amount of risk, and how to minimize their losses. Some supplement their winnings - or offset their losses - by taking advantage of what is known as a rakeback. A rake is a small fee, usually 3 to 5 percent, taken by the house on every pot played. A rakeback is when a portion of that fee is returned to the player.
In December 2005, someone using the nickname "pat82" posted a message to a popular gaming forum, claiming to have coded a new tool dubbed RBcalc to calculate rakebacks.
The first response to pat82's post asked, "is this gonna put a bot on my system that lets u see my cards?" Pat82 responded with, "If you feel that way you dont have to use my tool, but dont talk [censored] about things you have no grounds for whatsoever." Yet another poster replied that, "Currently, Windows Antispyware is freaking out over a possible trojan", an alert that "came up right after unzipping and running this program."
In the midst of that debate, the tool was purchased by Checkraised.com and offered as a free download via that website - an act that helped legitimize its use. Despite that, the last poster to the thread, in February 2006, confessed that he still "was hesitant to go forward with (installing the tool)" and chided himself for being a coward.
As it turns out, he wasn't a coward. He was smart. Those who had expressed concern had much reason to fret - the posted file was indeed a Trojan that allowed the author to steal the user's login credentials for several popular gaming sites (CEPoker, partypoker, pokernow, MultiPoker, and Empirepoker).
In addition, the Trojan captured screenshots it sent to the author, presumably allowing him to see other player's hands. RBCalc also created a backdoor that allowed further malicious code to be installed to the impacted computer. Portions of the Trojan were hidden by a rootkit that was silently installed alongside the RBCalc program.
Antivirus vendor F-Secure is credited with discovering the ruse, and notifying Checkraised.com. That company responded by posted manual removal instructions on their website. However, these instructions may be of little use given the presence of the rootkit, since some of the files and registry keys noted in the removal instructions won't be readily apparent.
F-Secure advises, "If you have downloaded and executed this binary provided by checkraised.com, you should check your system immediately for possible infection." To help users do so, F-Secure provides their new (and free) F-Secure Online Scanner Next Generation Beta, which includes rootkit detection via the F-Secure BlackLight engine.
To minimize your losses from this Trojan, use the F-Secure Online Scanner to check for infection. After cleaning your system, be sure to change all passwords that may have been compromised. Keep a close eye on credit card statements and other financial reports and report any unauthorized charges or suspicious activities on those accounts to the appropriate financial institution.
Possible signs of infection
According to antivirus vendor F-Secure, when the Trojaned RBCalc.exe (which they've dubbed the Small.la Trojan) is first run it drops four files to the Windows system directory:
utlsrv.exe comclg32.dll d3dclsrv.dll ndsdavsrv.sysNote: By default, the Windows system directory is:
Windows 95/98/MEÂ Â Â -->Â Â C:\Windows\System
Windows NT/2000 -->Â Â C:\Winnt\System32
Windows XPÂ Â Â Â Â Â Â Â Â Â Â Â Â Â Â -->Â Â C:\Windows\System32
In order to run each time Windows is started, Trojan Small.la modifies the Registry as follows:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "Comclg32" = "%system%\utlsrv.exe /Comclg32.dll"Trojan Small.la also makes the following Registry modification which may be hidden by the rootkit:
HKLM\System\ControlSet001\Services\ndsdavsrv ImagePath=\??\C:\WINDOWS\System32\ndsdavsrv.sysIf the above registry edits or files are found (in the locations specified), this may indicate possible infection. The Small.la Trojan includes rootkit technology, thus the aforementioned files and registry edits may not be readily apparent. The best method of determining infection by the Small.la Trojan is to scan the system using the F-Secure Online Scanner Next Generation Beta.