Old Malware Takes Advantage of Windows God Mode to Persist on Infected Machines

Rafia Shaikh
Posted Apr 30, 2016
32Shares
Share Tweet Submit

Remember Windows Easter Egg called God Mode? It allows users to create a folder, give it a special name and turn it into a shortcut to Windows settings. This lets administrators and power users to get access to over 260+ functions and tools, enabling them to have quick access to system settings. You can read more about what God Mode is or how it is created. But, right now we are here to talk about a malware that has apparently been taking advantage of this so-called God Mode for persistency.

windows 10 god mode

Malware leverages Windows God Mode

The security researchers have discovered that a malware dubbed Dynamer has abused Windows Gode Mode, having been installed into one of these folders. By installing itself into a folder inside the %AppData% directory, malware creates a registry run key to persist across reboots. The files placed within these shortcuts are not easily accessible via Windows Explorer as these folders do not open like other normal folders, but redirect the users, McAfee’s Craig Schmugar has explained. This helps Dynamer malware to execute normally, however, the folder inside which it is installed cannot be opened directly through Windows Explorer.

In the case of a recent threat variant, Dynamer, the malware is installed into one of these folders inside of %AppData%. A registry run key is created to persist across reboots. (The executable name is dynamic.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsm = C:\Users\admin\AppData\Roaming\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\lsm.exe

This key allows the malware to execute normally, but when the folder “com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” is opened, it redirects to the RemoteApp and Desktop Connections control panel item.

If that wasn’t bad enough, the malware creator has named the directory “com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B},” making Windows consider the folder as a device thanks to the “com4” in the name. This prevents users from easily deleting the folder with Windows Explorer or the commands.

Google Discloses an Unpatched Critical Windows Bug That's Being Exploited in the Wild

Users can still get rid of this malware by terminating Dynammer using the Task Manager and run the following command.

> rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q

Considered a severe threat to users, your antivirus program or Windows Defender should be able to detect it as Dynamer has been doing the rounds for the past few years. However, this is a new behavior as the malware attempts to leverage different OS functions to infect devices or persist on the infected machines.

Share Tweet Submit