The EOEO Virus is a AutoIT-based ransomware which is probably a test release. The current version contains a fully-functioning encryption engine which will process sensitive user data and append the .eoeo extension. Future versions might include other dangerous components. Our article provides an overview of the virus operations and it also may be helpful in attempting to remove the virus.
|Short Description||The ransomware encrypts sensitive information on your computer system with the .eoeo extension and demands a ransom to be paid to allegedly recover them.|
|Symptoms||The ransomware will encrypt your files with a strong encryption algorithm.|
|Distribution Method||Spam Emails, Email Attachments|
|Detection Tool|| See If Your System Has Been Affected by EOEO Virus |
Malware Removal Tool
|User Experience||Join Our Forum to Discuss EOEO Virus.|
|Data Recovery Tool||Windows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
EOEO Virus – Distribution Ways
The EOEO virus samples have been found in a limited attack against users worldwide. It is based on AutoIt scripts which means that it is most likely made by beginner hackers by using various online guides. As such we presume that the most widely used tactics are going to be used with future updates.
A common technique is to coordinate email SPAM messages that depend on social engineering tactics to coerce the victims into interacting with a malicious element. The virus setup files are usually directly attached or linked in the body contents. The messages themselves are designed to appear just like any ordinary notification — software updates, password reminders and other contents that require some kind of an user intervention.
The criminals behind the EOEO virus can help spread the threat further by creating fake download sites — they mimic the legitimate vendor download sites and famous Internet portals. Most of the cases rely on similar sounding domain names and security certificates that can fool many users into opening them.
In some cases the criminals may also opt to integrate the virus code into malicious carriers which include the following two examples:
- Infected Documents — The EOEO virus can be integrated into the most popular documents as built-in macros. The hackers target the most widely used document types: presentations, databases, text files and spreadsheets. Once the files are opened by the victm users a notification prompt will appear asking them to enable the built-in content. If this is done the virus infection will be triggered.
- Application Installers — The virus code can be made part of setup files of popular software: creativity suites, system utilities and productivity solutions. This is done by taking the original files from the official sites and modifying them with the virus code.
Advanced viruses are also likely to rely on another method that delivers malware files via infected web browser plugins. They are usually posted to the relevant browser’s repository using fake user reviews and developer credentials. Once they are installed a settings change will be triggered — the built-in code will manipulate the installed browsers into redirecting the users to a hacker-controlled site. When this is done the malicious instructions will load the EOEO virus onto the infected machines.
Both the infected carriers and the executable virus files can be distributed via file sharing networks such as BitTorrent as well. They are often used by computer users to share pirate content.
EOEO Virus – In-Depth Analysis
The security performed on the captured EOEO virus samples shows that it is based on AutoIt scripts. This gives the experts the presumption that the virus is probably made by following an online tutorial or a modified version of a previous Autoit-based ransomware. Usual viruses are written from scratch or use modules from dangerous ransomware families while this particular version contains only the basic encryption engine.
There are two theories that can be ascribed to the origins and goals of the hacker or group behind the EOEO virus. The first one speculates that it has been created with the goal of infecting as many users as it can in the designated virus campaigns. The other theory is that the captured releases are merely test versions of a larger and more feature-rich threat which is to be deployed in the coming future.
The current EOEO virus seem to follow the usual behavior pattern, when it is upgraded further it will probably add newer components and modules. Future attacks will probably begins with a data harvesting module, viruses typically gather sensitive information that is grouped into two main types:
- Personal Information — This data can expose the victim users identity. The engine is set to automatically harvest strings such as their name, address, phone number, location and stored account credentials.
- Campaign Metrics — The hackers can also harvest certain data that can help them optimize their attacks. The collected metrics usually make use of a report of the installed hardware components, certain operating system values and user-set options.
This data can then be further processed by another component called stealth protection. It searches for signatures of security services or applications that can interfere with the malicious execution. In most cases the list includes all popular anti-virus programs, sandbox environments and virtual machine hosts. The stealth protection component will bypass or altogether delete the real-time engines. This allows the EOEO virus to intrude onto the system and hookup to system processes, create its own processes and take on administrative privileges.
Various system modifications can follow including the following:
- Windows Registry Changes — The EOEO virus can access the Windows registry and modify entries at will. If programmed to modify the ones related to the operating system then overall performance may greatly suffer. Modifications to the user-installed applications can lead to problems when launching certain functions.
- Persistent Installation — The EOEO virus can be installed as a persistent threat by creating its own strings in the Windows Registry and by modifying certain boot options. Usually these changes will render access to the recovery menu impossible which prevents many manual restore functions.
- Additional Threat Delivery — The EOEO virus infection itself can be used as a payload carrier for other viruses and Trojans. A popular example would be a cryptocurrecny miner that can take advantage of the available system resources. They are either delivered as scripts or stand-alone files. Once they are found on the victim systems they will start to work on complex calculations. When they are complete and reported to the relevant servers digital currency will be rewarded to the hacker operators.
- Trojan Module — The EOEO virus may also install a Trojan module which will connect the infected computer to a remote host using a secure and encrypted connection. It will allow the hacker operators to take over control of the host, deploy other threats and spy on the victims at any given moment.
AutoIt scripts can easily be programmed into launching various modules. Other components can easily be adapted and built into the virus files.
EOEO Virus — Encryption
The ransomware component is called once all prior actions have successfully completed. It will target files based on a built-in list of target data. The victim files will be processed with a strong cipher and the users will not be able to access them. An example list targets the following data:
Once this process is complete the victim users will find that their files are renamed with the .eoeo extension. A generic ransomware note may be produced blackmailing the users into paying the hackers a fee to “decrypt” their files.
Remove EOEO Virus and Restore Encrypted Files
If your computer system got infected with the EOEO Virus, you should have a bit of experience in removing malware. You should get rid of this ransomware as quickly as possible before it can have the chance to spread further and infect other computers. You should remove the ransomware and follow the step-by-step instructions guide provided below.