Malware Uses Windows God Mode to Infect Devices

Remember Windows Easter Egg called God Mode? It allows users to create a folder, give it a special proper noun and plow it into a shortcut to Windows settings. This lets administrators and power users to get admission to over 260+ functions and tools, enabling them to have quick access to system settings. You can read more about what God Manner is or how it is created. Just, correct now we are here to talk near a malware that has apparently been taking advantage of this so-called God Mode for persistency.

windows 10 god mode

Malware leverages Windows God Mode

The security researchers accept discovered that a malware dubbed Dynamer has abused Windows Gode Mode, having been installed into one of these folders. By installing itself into a folder inside the %AppData% directory, malware creates a registry run key to persist across reboots. The files placed within these shortcuts are not easily attainable via Windows Explorer every bit these folders exercise not open like other normal folders, but redirect the users, McAfee's Craig Schmugar has explained. This helps Dynamer malware to execute ordinarily, all the same, the binder inside which it is installed cannot be opened direct through Windows Explorer.

In the case of a recent threat variant, Dynamer, the malware is installed into one of these folders inside of %AppData%. A registry run fundamental is created to persist across reboots. (The executable name is dynamic.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsm = C:\Users\admin\AppData\Roaming\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\lsm.exe

This key allows the malware to execute normally, just when the folder "com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" is opened, it redirects to the RemoteApp and Desktop Connections control panel particular.

If that wasn't bad enough, the malware creator has named the directory "com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}," making Windows consider the folder every bit a device thanks to the "com4" in the name. This prevents users from easily deleting the folder with Windows Explorer or the commands.

Users can nonetheless go rid of this malware by terminating Dynammer using the Task Manager and run the post-obit command.

> rd "\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" /S /Q

Considered a astringent threat to users, your antivirus program or Windows Defender should be able to detect information technology equally Dynamer has been doing the rounds for the past few years. Withal, this is a new behavior as the malware attempts to leverage different OS functions to infect devices or persist on the infected machines.