Relating to our earlier post on the RBCalc rootkit, we've received some questions on what the malicious RBCALC.EXE application looked like.

Here's some screenshots:





We've also updated our technical description of this backdoor, complete with a list of poker applications that are targeted:

  PartyGaming.exe
  mppoker.exe
  poker.exe
  gameclient.exe
  ultimatebet.exe
  absolutepoker.exe
  mainclient.exe
  pokerstars.exe
  pokerstarsupdate.exe
  partypoker.exe
  fulltiltpoker.exe
  pokernow.exe
  multipoker.exe
  empirepoker.exe
  eurobetpoker.exe

Stealing money via stolen poker accounts might be hard to prove: attacker could login with your stolen account and then play poker badly against himself. Try explaining that to the administrators of the gaming site : "I lost lots of money because somebody logged in as me and then played badly!" - "Yeah, sure they did".

F-Secure Anti-Virus detects this thing as Backdoor.Win32.Small.la. However, this doesn't seem to be a very big problem in the real world.