Virus/Trojan in Poker Software - Rake Calculator - (RBCALC)

[Sodax77]

Details that i found/read/etc + Tietokone.fi article

Official status: Trojan
Risk: May clean your account balance!

I saw this at http://www.tietokone.fi/uutta/uutine...27026&tyyppi=1 (Finnish language).

This is only English topic i found:
http://forumserver.twoplustwo.com/sh...sb=5&o=14&vc=1

In December 2005 we contracted a programmer to create a rake calculator for us. The rake calculator (known as rbcalc, rbcalc.exe) was an executable file that a player would run on his machine to calculate rake from hands he previously played (stored in hand history files or a poker tracker database).

It has recently come to our attention that early versions of this program that we received contained a virus that installs itself every time the user runs rbcalc.

The virus goes undetected by Norton AntiVirus and Microsoft Defender, even to this day. This is why we never noticed it until a 3rd party contacted us about the malicious software.

If you have ever used rbcalc please read the following to check if the malicious software is on your machine and how to remove it. This virus could also come bundled with other poker applications, so please read the following even if you have never heard of rbcalc.

Open up your C:\Windows\System32\ directory. Look for the following files.

\WINDOWS\system32\d3dclsrv.dll
\WINDOWS\system32\ndsdavsrv.sys
\WINDOWS\system32\comclg32.dll
\WINDOWS\system32\utlsrv.exe

Please note that these files have VERY similar names to system files needed by Windows. This is because they want you to believe these files are important. You are only infected if these file names are EXACTLY the same as above.

If you notice these files then it is safe to assume you are infected. To remove these please delete the following:

\WINDOWS\system32\d3dclsrv.dll
\WINDOWS\system32\ndsdavsrv.sys
\WINDOWS\system32\comclg32.dll


Then open the registry (START > RUN > type ‘regedit’). In the folder view on the right please open up the following path:

HKEY_LOCAL_MACHINE\System\ControlSet001\Services\n dsdavsrv


In that folder you will see the following:

ImagePath=\??\C:\WINDOWS\System32\ndsdavsrv.sys . Please delete this entry.


Reboot your machine.


Go back to the registry (START > RUN > type ‘regedit’) and open the following path:

HKEY_LOCAL_MACHINE\ Software\Microsoft\Windows\CurrentVersion\Run (please look in Run- as well, or anything like 'Run' if you notice these folders). Most users will only have a Run folder.


You will see the following key.

Comclg32=C:\WINDOWS\System32\utlsrv.exe /Comclg32.dll

Please delete that entry.


Now bring up your Task Manager (CTRL+ALT+DEL, click the Processes tab). Look for the program utlsrv.exe and right click on it and select End Process.


Open the C:\Windows\System32 folder and find the file utlsrv.exe. Delete it.


CHANGE ALL OF YOUR POKER SITE PASSWORDS

Please delete all instances of rbcalc (RBCalc.exe). We do not want any users running this software. The software will no longer be supported and the web pages will be replaced with the message you are reading now.


Although this software was infected, we have thoroughly examined our websites and have found that none of them were compromised. The person who programmed this file did not have access to any of our sites. He would send updates by way of email, we would virus scan it (what good that did!), and then we would upload it to our website. Any information stored on Rake Tracker, Your Poker Cash, and Check Raised remains secure and safe.

To prevent such situations from happening in the future, we do not plan on developing any executable applications. In addition, all future programming will be done in-house to ensure the maximum safety that we can provide to our users.

We have submitted all of the information that we have to CERT, Symantec, McAfee, and TrendMicro. Please help us heighten awareness of this issue and forward this page to the developer of your anti-virus software.

We are deeply sorry for any trouble we may have caused. We hope that we have not ruined your trust and faith in us, but right now our highest priority is protecting any and all users and removing this potentially damaging software from all computers.

[Sodax77]

More Information:

Wednesday, May 17, 2006

More about the "Poker Rootkit" Posted by Mikko @ 04:07 GMT

-----------------------------------------------------------


Relating to our earlier post on the RBCalc rootkit, we've received some questions on what the malicious RBCALC.EXE application looked like.

Here's some screenshots: http://www.f-secure.com/weblog/archi...ve-052006.html

We've also updated our technical description of this backdoor, complete with a list of poker applications that are targeted:

PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe

Stealing money via stolen poker accounts might be hard to prove: attacker could login with your stolen account and then play poker badly against himself. Try explaining that to the administrators of the gaming site : "I lost lots of money because somebody logged in as me and then played badly!" - "Yeah, sure they did".

F-Secure Anti-Virus detects this thing as Backdoor.Win32.Small.la. However, this doesn't seem to be a very big problem in the real world.

Tuesday, May 16, 2006
http://www.f-secure.com/weblog/archi...ve-052006.html

Monday, May 15, 2006

How's your poker face? Posted by Kimmo @ 13:34 GMT

-----------------------------------------------------------

Last Wednesday evening, the 10th of May, we received an interesting sample from a user. It was a normal PE executable named RBCalc.exe and the submitter described it as a rootkit. We proceeded with the sample as usual, beginning analysis on it. It wasn't long at all before we noticed it contained a nasty surprise. RBCalc.exe, also known as Rakeback calculator, was actually a Trojan. When RBCalc.exe is run, it silently drops four executable files into the user's %SystemRoot%\system32 folder and executes them.

The purpose of the dropped executables is to collect login information for various online poker websites from the user's computer and send them back to the malware author. In addition, the main malware component was protected by a rootkit driver that hid its process and launch point from registry.

The serious thing here was that RBCalc.exe was distributed by checkraised.com - a website that provides tools, articles and other various applications to all poker players. As a result, many online poker players could have been affected by this targeted attack.

The following day after we received the sample, on the 11th of May, detection for RBCalc.exe and all files it dropped were added into our database. Abuse reports were also sent to CERT and checkraised.com. On the evening of May 12th, RBCalc.exe was removed from the checkraised.com website.

If you have downloaded and executed this binary provided by checkraised.com, you should check your system immediately for possible infection. You can scan your computer for free with our new F-Secure Online Scanner Next Generation Beta, which also now has rootkit detection capabilities through the F-Secure BlackLight engine.

Checkraised.com (http://www.checkraised.com/site/apps/rbcalc/rbcalc.php) has set up a page to explain their view of the situation. The page also contains step-by-step instructions for manually removing the malware.

So a question for all you poker fanatics; when is this not a winning hand?

Answer: When your online poker login credentials have been stolen and your
account drained. We have received no reports of this happening, but
the possibility is definitely there.

http://www.f-secure.com/weblog/archi....html#00000878

[Sodax77]

And:

F-Secure Trojan Information Pages : Small.la

[ Summary ] | [ Detailed Description ] | [ Detection ]


Name: Small.la
Alias: Backdoor.Win32.Small.la
Type: Backdoor, Trojan, Rootkit
Category: Trojan
Platform: Win32

Summary

Small.la is a spying trojan that targets several online poker games. It was distributed from a website checkraised.com using a trojaned Rakeback calculator application (RBCalc.exe). The trojan hides itself using rootkit techniques.

Detailed Description

System installation

When the trojan application RBCalc.exe is executed, it silently drops the following 4 files to windows system directory:


utlsrv.exe
comclg32.dll
d3dclsrv.dll
ndsdavsrv.sys
Then the dropper executes file utlsrv.exe, which is the trojan main file.

When the main file is run, it installs the following registry lauchpoint:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Comclg32" = "%system%\utlsrv.exe /Comclg32.dll"

After that, it monitors the running processes and injects the spying component comclg32.dll to following list of tasks:

PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe

The trojan main component also checks if the following processes are running on system:

blackice.exe
blackd.exe
outpost.exe
umxagent.exe
umxcfg.exe
umxfwhlp.exe
umxlu.exe
umxtray.exe
umxpol.exe
zone alarm security

If any of the above processes exist, the trojan quits execution.

Here's a screenshot of RBCalc.exe main screen:
http://www.f-secure.com/v-descs/small_la.shtml



Rootkit functionality

The trojan main file installs and loads the driver ndsdavsrv.sys and uses it to hide its process and the registry launchpoint.


Backdoor

When the spying component comclg32.dll is initialized, it starts a keylogger and connects to a remote server. The server can instruct the backdoor to do any of the following tasks:

download execute files
upload files
shutdown trojan
send application screenshots
The backdoor also sends out sensitive information to remote server, including keylogger database, computer name, and the username and password of the following onlike poker applications:

CEPoker
partypoker
pokernow
MultiPoker
Empirepoker


Detection


F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2006-05-08_01.

Write-up: Jarkko Turkulainen, May 16, 2006

Technical Details: Jarkko Turkulainen, May 16, 2006

Description Updated: Jarkko Turkulainen, May 16, 2006

F-Secure Corporation
http://www.f-secure.com/v-descs/small_la.shtml

[Sodax77]

Thanks for your "thanks" ...what i got

Based that...

I assume that most members don't need this kind of information.
And they know enough about ~165.000 PC Viruses/Trojans.
So, please make your own research in future

Just want to help <sigh>

Edit:
My 500th post

[Mousey]

I do thank you sodax! I hadn't seen this info before you posted it. I've done a search on both my computers, and (whew!) I never used the RBcalc as we rarely play cash games and stick to tourneys.

[Sodax77]

I do thank you sodax! I hadn't seen this info before you posted it. I've done a search on both my computers, and (whew!) I never used the RBcalc as we rarely play cash games and stick to tourneys.

Anytime

I just realize that eg Partypoker, PokerStars etc, etc
are behind big companies,
and they want to avoid bad publicity.

Also, if player lost eg $20K because this,
it is hard to proof this.

Anyway. Be careful!

[Renegade]

Thank you Sodax77 for this info!!

I too just ran a scan on my system and it's clean...

Again, thanks for your posts on this trojan Sodax77!!

[Sodax77]

You're welcome


---------------------------------------------------
Same Trojan:

F-Secure - Small.la / Backdoor.Win32.Small.la
http://www.f-secure.com/v-descs/small_la.shtml

Symantec - Trojan.Checkraise
http://securityresponse.symantec.com...heckraise.html

McAfee - PWS-Poker
http://vil.nai.com/vil/content/v_139509.htm

Sophos - Troj/RKProc-Fam / Troj/Keylog-GO
http://www.sophos.com/pressoffice/ne.../05/poker.html

[nafanny29]

Scary how you could get a nasty virus from what you would think is a useful and genuine bit of software. And more scary that if the fraudsters emptied out your poker account you would IMO have ZERO chance of recovering it from the poker site.

Just goes to show how careful you have to be online these days.

Thanks for the info Sodax.

edit. I now NEVER leave money at any online casino or pokerroom. It means depositing and withdrawing a few times each day but its less hassle than logging in one day and seeing your bankroll has gone!!

[Renegade]

I agree with you, nafanny29, you really don't know what your getting from any downloads anymore..
Most of the time you don't even know who wrote the programs!

Sodax77, your information and research on this is umatched!
Again, I thank you for your time, your research, and your "Guardian Stance" for us here at CM.
Please keep those updates coming!