Windows GodMode Abused by Malware

Av Gurus

Level 29
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Sep 22, 2014
1,767
Security researchers at McAfee Labs have come across a new malware family that is abusing a secret Easter Egg in Microsoft Windows called "GodMode."

GodMode consists of a piece of code that Microsoft left inside Windows since Vista that allows users to create a folder, give it a specific name, and automatically transforming it into a container that lists all the shortcuts to all the Control Panel settings.

Nobody knows how GodMode panels came to be, but most likely they were used by Microsoft's staff for debugging purposes.

Users can add GodMode panels anywhere, and to create one, just make a new folder and give it the following name (You can replace GodMode with any word you wish).

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

McAfee researchers recently revealed that they've seen malware that uses this trick, with a slight modification.

GodMode abused by Dynamer to open backdoor connections
The malware called Dynamer was infecting computers and in order to gain persistence it was adding a new entry to the local Windows Registry that automatically started its malicious process with every startup.

This registry key contained a slightly modified GodMode path which automatically opened and redirected users to the "RemoteApp and Desktop Connections" control panel item.

Taking into account that Microsoft categorizes Dynamer as a backdoor trojan, it appears that this is how the malware was opening connections from an infected computer to its master server. The Dynamer registry key was as follows.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
lsm = C:\Users\admin\AppData\Roaming\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\lsm.exe

As you can see, the GodMode path was slightly different in order to link directly to the "RemoteApp and Desktop Connections" control panel item.

The malware was almost unremovable. Almost.
Additionally, the GodMode string was also replaced with com4. While the GodMode string was never obligatory to create a GodMode panel and users have often replaced it with anything they wanted, using com4 has some repercussions.

"The malware author has attempted to give this directory eternal life, by prepending the name 'com4'," Craig Schmugar from McAfee Labs explained. "Such device names are forbidden by normal Windows Explorer and cmd.exe commands and Windows treats the folder as a device, thus preventing users from otherwise easily deleting the folder with Explorer or typical console commands."

Nevertheless, the McAfee team found a way to delete such malicious items from someone's computer. In this case, users could run the following command to delete the malware. In case you find Dynamer in other places than your AppData folder, just make sure to alter the CLI command with the proper file path.

> rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q
 

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Is there a script or method to disable "godmode" ?
Tha'ts a serious screw up on the part of MS, wow.
Awesome share AV Gurus.
PeAcE
 
  • Like
Reactions: Der.Reisende

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top