NOTICE: Possible Virus in Poker Software (RBCALC)

[goodguy_1]

[ QUOTE ]
Yet is the magic word. Lets look at the possibilities:

1) Our usernames/passwords could have been sold to unscrupulous individuals

2) The developer could have planned to capture the data, to be abused at a later date

3) Its possible that theft has occurred/will occur in other ways. If they have access to our poker user names and passwords then they probably also have access to things such as our online back info, or Neteller account info, and anything else that we use that is secure and protected by our computers.

I spent 6 hours yesterday changing the passwords on every site that I can think of that may be at risk in any way including things such as my bank, American Express, sites I pay bills using EFT transfers, etc. Its the smartest thing for everyone who ever used this app to do regardless if they found the infection as a precaution. I also recommend purchasing and using Roboform , an application which tracks your individual passwords with secure password generation so a key logger cannot capture your data. Optionally you can use a USB key so you can take your passwords with you.

[/ QUOTE ]
willdo going to take your advice on this and do all of this in the next 24 hrs
-this is good advice to do probably annually or semi-annually even without this specific threat.

[NeverLie]

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
Cant delete either of the dlls because they are either "currently in use or write protected"

The mentioned exe is not currently running, and rbcalc.exe is deleted. Any idea of any other programs that may be using these dlls?

[/ QUOTE ]

The trojan is currently using the .ddls.

Restart your machine in safe made, you do this by pressing F8 during the split second time between the BIOS when you first boot your PC and the loading windows splash screen. Also disable system restore before you do all this because the .dlls are likely backed up by Windows XP. All of these instructions are available at Symantec's website, which is where everyone should be running to first. I'd trust their instructions over anything you see here (including advice coming from me).

TT [img]/images/graemlins/club.gif[/img]

[/ QUOTE ]

Turns out it must have been interacting with Full Tilt Poker. Soon as I closed the client, it freed up the dlls and let me proceed as normal.

[/ QUOTE ]

I find this very interesting. Its likely that starting a poker client enables the Trojan. This could mean the original concept was to watch hole cards as the primary method of theft, not chimp dumping after all. This also means that the level of theft may be much greater than original suspected.

TT

[/ QUOTE ]

Yes, I was thinking the exact same thing. Or it could be as simple as when running the trojan when a poker client starts up for the simple purpose of enabling a keylogger. But, if you are already able to log keystrokes, it's just as easy to scrape the screen.

[rt1]

[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
[ QUOTE ]
Cant delete either of the dlls because they are either "currently in use or write protected"

The mentioned exe is not currently running, and rbcalc.exe is deleted. Any idea of any other programs that may be using these dlls?

[/ QUOTE ]

The trojan is currently using the .ddls.

Restart your machine in safe made, you do this by pressing F8 during the split second time between the BIOS when you first boot your PC and the loading windows splash screen. Also disable system restore before you do all this because the .dlls are likely backed up by Windows XP. All of these instructions are available at Symantec's website, which is where everyone should be running to first. I'd trust their instructions over anything you see here (including advice coming from me).

TT [img]/images/graemlins/club.gif[/img]

[/ QUOTE ]

Turns out it must have been interacting with Full Tilt Poker. Soon as I closed the client, it freed up the dlls and let me proceed as normal.

[/ QUOTE ]

I find this very interesting. Its likely that starting a poker client enables the Trojan. This could mean the original concept was to watch hole cards as the primary method of theft, not chimp dumping after all. This also means that the level of theft may be much greater than original suspected.

TT

[/ QUOTE ]

I am going to pass this on and get this confirmed.

TT thanks a ton, you've been a huge help in this thread.

[Dazarath]

[ QUOTE ]
I also recommend purchasing and using Roboform , an application which tracks your individual passwords with secure password generation so a key logger cannot capture your data. Optionally you can use a USB key so you can take your passwords with you.

[/ QUOTE ]
TT could you explain how this RoboForm works exactly, and the USB key version works? What exactly does it do to prevent keyloggers from capturing passwords? This sounds like something that might be useful to me, considering how paranoid I am about internet security. (Like you, I also went and changed all my passwords after I removed this crap.)

[RockPile]

[ QUOTE ]
Wow, I cant believe this is finally coming out now.

I posted about this virus thingy back in february and I emailed the guys at checkraised.com, never heard anything back.

http://forumserver.twoplustwo.com/sh...7877&page=

[/ QUOTE ]

OKay so to clarify here for everyone. I've been discussing this with rt1 and they cant find any email or correspondence from myself directly to them on this matter back in Feb. I dont keep historical emails so there is no way for me to check to see if it went through. So at this point we all need to assume that my email to the guys at checkraised never made it through, I dont have a copy, they dont have a copy. So no proof I sent it.. Apologies to anyone that has caused anyone any extra trouble..

[x2ski]

I don't know if this helps anything or not, but for the past few weeks since I downloaded Spybot Search and Destroy, every reboot of my comp would show this:



Actually, the above showed up when deleting "Comclg32=C:\WINDOWS\System32\utlsrv.exe /Comclg32.dll" from the Registry, so I think instead of "Value Deleted", it said "Value Added", when I got the notice in the past.

Anyway, it didn't seem malicious (but I don't really know anything about viruses), so I continuously accepted the registry change.

Has anyone else had this same experience w/ Spybot or anything similar?

Why would this change be made on a daily basis? Either I'm infected or I'm not, right?

Well, I'm off to change some passwords...

[rt1]

if you have the registry entry its safe to say you are infected. did you use rbcalc?

please follow my instructions and remove this file.

thanks

[*TT*]

Oddly enough, another Trojan horse hit the poker world yesterday. This isn't surprising, hackers usually follow a monkey see monkey do strategy. The Trojan is delivered by visiting a website, the victim is sent to the infected website address via the Crypto chat window. - LINK

Apparently this follows a 30,000,000 theft from customer accounts by an employee at Ladbrokes. This hasn't been a good week for online poker security

TT [img]/images/graemlins/club.gif[/img]

[x2ski]

[ QUOTE ]
if you have the registry entry its safe to say you are infected. did you use rbcalc?

please follow my instructions and remove this file.

thanks

[/ QUOTE ]

I don't remember using rbcalc, but I did have all of the dll, sys and exe files associated with it, so I followed your instructions for removal.

Thanks

[rt1]

[ QUOTE ]
[ QUOTE ]
if you have the registry entry its safe to say you are infected. did you use rbcalc?

please follow my instructions and remove this file.

thanks

[/ QUOTE ]

I don't remember using rbcalc, but I did have all of the dll, sys and exe files associated with it, so I followed your instructions for removal.

Thanks

[/ QUOTE ]

Ok - this is interesting.

Can you let me know any other software you have downloaded and installed around that time? Do you download a lot of pirated/warez type software? What other poker apps have you downloaded.

Ryan