W32/Small.LA!tr.bdr

description-logoAnalysis

This Trojan is a gambling site password stealer, and was coupled with a program named "Rake Back Calculator" (RBCalc). RBCalc could used to calculate "rake backs" - a "rake back" is a percentage of money received from a newly registered poker player on a gambling site, and the payment is made to the referring player(s).

The Trojan functions with root-kit qualities, running in the memory space of an already runnning application. If the Trojanized RBCalc is run, four files are written to the local system with "hidden" and "system" file attributes -

c:\WINNT\system32\comclg32.dll (48,176 bytes)
c:\WINNT\system32\d3dclsrv.dll (9,728 bytes)
c:\WINNT\system32\ndsdavsrv.sys (2,432 bytes)
c:\WINNT\system32\utlsrv.exe (6,432 bytes)

The Trojan will create some registry entries to run the loader components (ndsdavsrv.sys & utlsrv.exe) -

HKLM\SOFTWARE\Microsoft\Ole
"MachineDriverConfig" = 88, 03, 00, 00

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDSDAVSRV\
"NextInstance" = 01, 00, 00, 00

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDSDAVSRV\0000\
"Class" = LegacyDriver
"ClassGUID" = {8ECC055D-047F-11D1-A537-0000F8753ED1}
"ConfigFlags" = 00, 00, 00, 00
"DeviceDesc" = ndsdavsrv
"Legacy" = 01, 00, 00, 00
"Service" = ndsdavsrv

HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NDSDAVSRV\0000\Control\
"*NewlyCreated*" = 00, 00, 00, 00
"ActiveService" = ndsdavsrv

HKLM\SYSTEM\CurrentControlSet\Services\ndsdavsrv
"DisplayName" = ndsdavsrv
"ErrorControl" = 00, 00, 00, 00
"ImagePath" = C:\WINNT\System32\ndsdavsrv.sys
"Start" = 03, 00, 00, 00
"Type" = 01, 00, 00, 00

HKLM\SYSTEM\CurrentControlSet\Services\ndsdavsrv\Enum
"0" = Root\LEGACY_NDSDAVSRV\0000
"Count" = 01, 00, 00, 00
"NextInstance" = 01, 00, 00, 00

HKLM\SYSTEM\CurrentControlSet\Services\ndsdavsrv\Security
"Security" = {hex codes}

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Comclg32 = C:\WINNT\System32\utlsrv.exe /Comclg32.dll

Utlsrv monitors applications running and if one is located in a list, the Trojan will inject its code into the memory space of that running application. This is a list of applications the Trojan checks for the presence of -

javaw.exe
client.exe
PartyGaming.exe
mppoker.exe
poker.exe
gameclient.exe
ultimatebet.exe
absolutepoker.exe
mainclient.exe
pokerstars.exe
pokerstarsupdate.exe
partypoker.exe
fulltiltpoker.exe
pokernow.exe
multipoker.exe
empirepoker.exe
eurobetpoker.exe

The code found in 'd3dclsrv.dll' contains keylogger instructions. The code within 'comclg32.dll' monitors for the activation of certain gambling applications related to poker sites -

CEPoker
partypoker
pokernow
MultiPoker
Empirepoker

If these are detected, the keylogger component stores the logon information then submits it to a predefined web server using a server-side script.

recommended-action-logoRecommended Action


    FortiGate systems:
  • check the main screen using the web interface to ensure the latest AV/NIDS database has been downloaded and installed -- if required, enable the "Allow Push Update" option

  • FortiClient systems:

  • Quarantine/Delete infected files detected and replace infected files with clean backup copies

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR