EPS 1.09
(Trojan-PSW.Win32.Eps.109)

by DK32

Released in April 1999

Made in Russia

more versions 




1. Configuration of EPS.

Run "config.exe" with
parameter "eps.exe".
On screen you see:


What I must write in
VERSION field
(Example: eps v1.09):

 - Reserved string in
message body for you.

File Name to install:
 - Filename to install EPS.

Discryption in Registery: - Discryption in Registery.

Mail Server: - STMP server via EPS will send messages with passwords.

HELO Command: - If you don't know, write here "mustdie.com" .

MAILFROM Command: - Write here your E-MAIL box that will receive passwords.

RCPTTO Command: - Write here your E-MAIL box that will receive passwords

Use hide in memory against CTRL-ALT-DEL [Y/n]? - Hide EPS in process list
                  that show at CTRL-ALT-DEL.
                  Default Y.

Use hide in memory against FAR.EXE, WINTOP.EXE and so on [y/N]? - Hide EPS
                  in process list that show some memory view programms -
                  FAR.EXE, WINTOP.EXE and so on. This programms uses
                  fuction Process32First() and Process32Next().
                  EPS uses RING0 method - we not recommended use this type
                  of hide in memory.
                  Default N.

Debug Mode [y/N]? - Debug mode. In this mode EPS no install it body.
                  It show dialog box where you can see how EPS send
                  message.
                  Default N.


2. How programm work ?

After configuration programm ready to be used. It will install to
C:\WINDOWS\SYSTEM and start at every computer startup. When run, the EPS
will automatically kill any programs running as the file it intends to
install itself as. If programm detected InterNet connection it will send
passwords that cached by MD95 in your E-MAIL box.
Warning! Before usage, test it.

3. Run this programm on a victim computer.


// History

[1.04]
- Worked on computers that don't have realy DIAL-UP connection.

[1.05]
- Process32First() and Process32Next() don't see EPS in memory.
  (Test it by FAR.EXE)

[1.06]
- EPS don't delete it body now at install process and don't run
  two copy of body in C:\WINDOWS\SYSTEM.

- Now EPS send cryped messages with passwords. Use filed.exe for
  uncrypt.

- Now EPS send message every week.

[1.07]
- Increase EPS shield.

[1.08]
- Now EPS have Advanced Dialer method. For advanced user's only.
  Attention on "UsPwr" string.

- Dial-Up BUG Dead. .

- New! DEBUG MODE. In this mode you may see how programm send message
  to you. EPS in this mode no install it body and hide in memory.
  New question in configuration:
  Debug Mode [y/N]?

- config.exe's CW3230.dll BUG Dead. .

[1.09]
- New question in configuration:
  Use hide in memory against CTRL-ALT-DEL [Y/n]?

- New question in configuration:
  Use hide in memory against FAR.EXE, WINTOP.EXE and so on [y/N]?

                             Copr. (c) 1999 DK32    [email protected]



Server:
c:\WINDOWS\SYSTEM\RunMe.exe 

size: 52 KB

startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run "DoNotRemove.exe"
MegaSecurity