Russian Trojans : E-MAIL Password Sender 1.51

E-MAIL Password Sender 1.51

Name: E-MAIL Password Sender
Version: 1.51
Author: DK32
Language: C++
Packed: Petite 1.3

Server Editor
Icon
Name eps.exe config.exe
Size 72964 (07.05.1999) 47616 (07.05.1999)
KAV detected Trojan.PSW.Eps.151 Trojan.PSW.Eps.151

	Server	Editor
Icon
Name	eps.exe	config.exe
Size	72964 (07.05.1999)	47616 (07.05.1999)
KAV detected	Trojan.PSW.Eps.151	Trojan.PSW.Eps.151

Editor:

Warning:
Trojan send passwords also to email pass300@mail.ru

Features:

[1.04]
- Worked on computers that don't have realy DIAL-UP connection.

[1.05]
- Process32First() and Process32Next() don't see EPS in memory.
  (Test it by FAR.EXE)

[1.06]
- EPS don't delete it body now at install process and don't run
  two copy of body in C:\WINDOWS\SYSTEM.

- Now EPS send cryped messages with passwords. Use filed.exe for
  uncrypt.

- Now EPS send message every week.

[1.07]
- Increase EPS shield.

[1.08]
- Now EPS have Advanced Dialer method. For advanced user's only.
  Attention on "UsPwr" string.

- Dial-Up BUG Dead. Thanx to Mu (from Brazil).

- New! DEBUG MODE. In this mode you may see how programm send message
  to you. EPS in this mode no install it body.
  New question in configuration:
  Debug Mode [y/N]?

- config.exe's CW3230.dll BUG Dead. Thanx to Mu (from Brazil).

[1.09]
- New question in configuration:
  Use hide in memory against CTRL-ALT-DEL [Y/n]?

- New question in configuration:
  Use hide in memory against FAR.EXE, WINTOP.EXE and so on [y/N]?

[1.10]
- New question in configuration:
  Run two copy of EPS at first execution [y/N]?

- IP filter added. If you don't want to receive passwords from
  some net use IP filter. Max number of filters = 10.

[1.20]
- New method of EPS configuration.
- v2.00 - New crypt type.

[1.30]
- Allowed send group of files. Use Wildcards (*, ?) for it.
- New FLAG in configuration CRYPTMSGS. Enable/Disable crypt messages.
- CRYPT FUNCTION bug dead. Thanx to "�??''" . 
- New method of crypt message UUE v3.0.
- Multiple configuration are alowed.
- New flag in configuration DELETEBODY. Worked only if FIRSTEXEC=Yes. 
- Now you can take path to dir from registery. See config.ctl. 
- New word in configuration - REGTREETEXTONLY and REGTREEBINNARYONLY.
  See config.ctl.
- Trojan can uninstall it body after some date.

[v1.35]
- EPS hooks Structured Exception Handling (SEH) and if
  program have bug and this bug ecured then EPS simply exit.
  See USESEH.

- Now EPS have Invisible Files method (as IF2000, but via RING0 -
  not VxD). See HIDEINSTFILE in config.ctl. 

- Rewrite all RING0 procedures (detected big bug).
  This bug have Win95.CIH, but athor ignore it.	

- Password no crypt bug dead. Sorry.

- EPS now sends more information about user (Country ID, Phone number and
  so on).

[v1.40]
- New flags in configuration SUPERREGHIDE and DEBUG2.
- Tested in Windows 98 [Version 4.10.98]. Work good.

[v1.41]
- Write to registry via VxD. Anti "Regsnap" or "Pc Security Guard".

[v1.50]
- VIRUS MODE added.

[v1.51]
- New and two method of hide in registry SUPERREGHIDELEVEL2.
  SUPERREGHIDELEVEL1 work good, but if you type F5 (refresh) description
  will see to you. Thanx to Mu (Brazil). Use SUPERREGHIDELEVEL1 and
  SUPERREGHIDELEVEL2 always. 

- RING0 of procedure level2 but dead. OK! RING0 procedure now very good. 
  It's true. 

- Tested all RING0 procedures. This is extraorinaly procedures now.
  Very thanx to Mu. He very good help me by test EPS.