F-Secure: Be Sure
Main
F-Secure Logo - Be Sure
Select local site


Privacy Policy
Contact Us

F-Secure Trojan Information Pages : Small.la

[ Summary ] | [ Detailed Description ] | [ Detection ]

Name:Small.la
Alias:Backdoor.Win32.Small.la
Type:Trojan, Rootkit, Backdoor
Category:Trojan
Platform:Win32

Summary

Small.la is a spying trojan that targets several online poker games. It was distributed from the website checkraised.com using a trojan embedded Rakeback calculator application (RBCalc.exe). The trojan hides itself using rootkit techniques.

Detailed Description

System installation

When the trojan application RBCalc.exe is executed, it silently drops the following 4 files to windows system directory:

  • comclg32.dll
  • d3dclsrv.dll
  • ndsdavsrv.sys
  • utlsrv.exe
The dropper then executes utlsrv.exe, the main trojan file.

When the main file is run, it installs the following registry lauchpoint:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Comclg32" = "%system%\utlsrv.exe /Comclg32.dll"

After that, it monitors the running processes and injects the spying component, comclg32.dll, to following list of tasks:
  • absolutepoker.exe
  • empirepoker.exe
  • eurobetpoker.exe
  • fulltiltpoker.exe
  • gameclient.exe
  • mainclient.exe
  • mppoker.exe
  • multipoker.exe
  • PartyGaming.exe
  • partypoker.exe
  • poker.exe
  • pokernow.exe
  • pokerstars.exe
  • pokerstarsupdate.exe
  • ultimatebet.exe
The trojan main component also checks if the following processes are running on system:
  • blackd.exe
  • blackice.exe
  • outpost.exe
  • umxagent.exe
  • umxcfg.exe
  • umxfwhlp.exe
  • umxlu.exe
  • umxpol.exe
  • umxtray.exe
  • zone alarm security
If any of the above processes exist, the trojan quits execution.

Below is a screenshot of the RBCalc.exe main screen:
RBCalc.exe main screen


Rootkit functionality

The trojan's main file installs and loads the driver ndsdavsrv.sys, and uses it to hide its process and the registry launchpoint.


Backdoor

When the spying component comclg32.dll is initialized, it starts a keylogger and connects to a remote server. The server can instruct the backdoor to do any of the following tasks:
  • Download and execute files
  • Send application screenshots
  • Shutdown the trojan
  • Upload files
The backdoor also sends out sensitive information to a remote server, including keylogger database, computer name, and the username and password of the following online poker applications:
  • CEPoker
  • Empirepoker
  • MultiPoker
  • partypoker
  • pokernow


Back to the Top


Detection

F-Secure Anti-Virus detects this malware with the following updates:

[FSAV_Database_Version]

Version = 2006-05-08_01.


Back to the Top


Write-up: Jarkko Turkulainen, May 16, 2006

Technical Details: Jarkko Turkulainen, May 16, 2006

F-Secure Corporation