W32/Small.LA!tr.bdr
Analysis
This Trojan is a gambling site password stealer, and was coupled with a program named "Rake Back Calculator" (RBCalc). RBCalc could used to calculate "rake backs" - a "rake back" is a percentage of money received from a newly registered poker player on a gambling site, and the payment is made to the referring player(s).
The Trojan functions with root-kit qualities, running in the memory space of an already runnning application. If the Trojanized RBCalc is run, four files are written to the local system with "hidden" and "system" file attributes -
c:\WINNT\system32\comclg32.dll (48,176 bytes)
c:\WINNT\system32\d3dclsrv.dll (9,728 bytes)
c:\WINNT\system32\ndsdavsrv.sys (2,432 bytes)
c:\WINNT\system32\utlsrv.exe (6,432 bytes)
The Trojan will create some registry entries to run the loader components (ndsdavsrv.sys & utlsrv.exe) -
HKLM\SOFTWARE\Microsoft\Ole
"MachineDriverConfig" = 88, 03, 00, 00HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDSDAVSRV\
"NextInstance" = 01, 00, 00, 00HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDSDAVSRV\0000\
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = ndsdavsrv
"Legacy" = 01, 00, 00, 00
"Service" = ndsdavsrvHKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDSDAVSRV\0000\Control\
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = ndsdavsrvHKLM\SYSTEM\CurrentControlSet\Services\ndsdavsrv
"DisplayName" = ndsdavsrv
"ErrorControl" = 00, 00, 00, 00
"ImagePath" = C:\WINNT\System32\ndsdavsrv.sys
"Start" = 03, 00, 00, 00
"Type" = 01, 00, 00, 00HKLM\SYSTEM\CurrentControlSet\Services\ndsdavsrv\Enum
"0" = Root\LEGACY_NDSDAVSRV\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00HKLM\SYSTEM\CurrentControlSet\Services\ndsdavsrv\Security
"Security" = {hex codes}HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Comclg32 = C:\WINNT\System32\utlsrv.exe /Comclg32.dll
Utlsrv monitors applications running and if one is located in a list, the Trojan will inject its code into the memory space of that running application. This is a list of applications the Trojan checks for the presence of -
javaw.exe
client.exe
PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe
The code found in 'd3dclsrv.dll' contains keylogger instructions. The code within 'comclg32.dll' monitors for the activation of certain gambling applications related to poker sites -
CEPoker
partypoker
pokernow
MultiPoker
Empirepoker
If these are detected, the keylogger component stores the logon information then submits it to a predefined web server using a server-side script.
Recommended Action
- check the main screen using the web interface to
ensure the latest AV/NIDS database has been downloaded
and installed -- if required, enable the "Allow
Push Update" option
- Quarantine/Delete infected files detected and replace
infected files with clean backup copies
FortiGate systems:
FortiClient systems:
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |