Slashdot Mirror
Malware Taps Windows' 'God Mode'
Reader wiredmikey writes: Researchers at McAfee have discovered a piece of malware dubbed "Dynamer" that is taking advantage of a Windows Easter Egg -- or a power user feature, as many see it -- called "God Mode" to gain persistency (warning: annoying popup ads) on an infected machine. God Mode, as many of you know, is a handy tool for administrators as it is essentially a shortcut to accessing the operating system's various control settings. Dynamer malware is abusing the function by installing itself into a folder inside of the %AppData% directory and creating a registry run key that persists across reboots. Using a "com4" name, Windows considers the folder as being a device, meaning that the user cannot easily delete it. Given that Windows treats the folder "com4" folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.Fortunately, there's a way to remove it. McAfee writes: Fortunately, there is a way to defeat this foe. First, the malware must be terminated (via Task Manager or other standard tools). Next, run this specially crafted command from the command prompt (cmd.exe): > rd "\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" /S /Q.
gort klaatu barada nikto
Does this site have editors? It's tough to tell sometimes. Most of the time.
We finally got https this year. Maybe we'll get utf-8 by 2034.
Or get some editor chappies who are speaking the most jolly good English.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
We have moderators that send bad posts into a -1 point dustbin. The Editors (team that posts the stories) have power to remove anything patently offensive, but don't censor on words alone.
Nice that Macaffe found the uninstall instructions for this... but what is the payload they were trying to deploy. The God Mode install of a file device is a way to get in that must be closed. but what did this do if left installed? Knowing what this does if left alone leads to who to blame.
I haven't used Windows in a decade, so I don't know: What happens if you paste curly quotes on the command line?
I think /. is waiting for UTF-9 to be released.
But seriously, if you're worse than Windows at handling standard character sets, you should just be ashamed.
The Windows GUI will prevent creation and removal of any 'special' foldername that looks like a device: LPT1, COM6, CON, etc.
/x will show the associated "short" filename, e.g. co~123 instead of COM4
/s
To remove any of those "special" file/foldernames after the fact, all you need is look for the short 8.3 notation of the filename that the filesystem uses behind the scenes, and which the GUI hides from the end user.
Open a command prompt and navigate to the folder that contains the special name
dir
You can directly remove/rename/etc the file from the command prompt when referring to these short names:
remove a file: del co~123
remove a folder with its contents: rd co~123
Beware the tit master.
And 4 years later all the machines will crash when the date flips on their microvax servers.
That's embarrassing. Somehow I suspect that Slashdot simply doesn't have enough staff to do that in a timely manner. Of course, there's an easy solution. Open the fucking source code like it used to be! I'm sure there are people here who would be happy to implement proper UTF-8 support. If you don't have the resources to fix it yourselves, open the damn source again!
The corrected code... Deltree C:*.* & sudo install Linux
What? Clearly windows is not ready for the desktop!
Next, run this specially crafted command from the command prompt (cmd.exe): > rd âoe\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}â /S /Q.
Fix the bloody quotes, will you?
At least under the old owners we didn't see any sign of Unicode.
systemd is Roko's Basilisk.
Slashdot should have put the command line in a blockquote block. There, fixed that for ya.
Quotes at the command line join together strings that contain spaces... it's basically a one-character escape sequence that keeps the name of the object (directory or filename) together even when it contains a space.
Actually, it was the character references that were the issue, not words. ;)
After all these years, God Mode finally made it into the psDooM system admin tool.
https://slashdot.org/story/99/10/20/1110242/kill--9-with-a-doom-shotgun
http://psdoom.sourceforge.net/
That's embarrassing. Somehow I suspect that Slashdot simply doesn't have enough staff to do that in a timely manner. Of course, there's an easy solution. Open the fucking source code like it used to be! I'm sure there are people here who would be happy to implement proper UTF-8 support. If you don't have the resources to fix it yourselves, open the damn source again!
Wrong. If you "don't have the resources" then fuck off and die and stop using that as excuse for running a shitty website that can't support something as simple as UTF-8, which has existed for 20 years.
RFC 4042
Designing a computer for the "average person" makes as much sense as designing chainsaws for children. Every "butt wiper" that Microsoft crams into the OS to make it more "user-friendly" ends up being some kind of security hole eventually, at which point the users shrug and keep on clicking CUTE_CAT_VIDEO.EXE shortly before they throw up their hands and proclaim that computers are too hard.
Linux is for apps. Appy app app apps! APPS!!
Wow, that was once model +4 Insightful, now it's quickly gone to -1 Flamebait. I'm starting to think the editors are censoring criticism of them, even when it's legitimate.
What's this, magic incantations fit for some sad cliche-driven fantasy story?
It certainly showed me how windows, from the core on up, is made up out of depraved deep depths of stupidity. I knew the thing was rotten, but this is just... sad. A sad little fantasy of sadness, installed on billions of computers. THANK YOU SO MUCH FOR THAT, BILLY GEE.
The corrected code... Deltree C:*.* & sudo install Linux
Now *THAT* is malware!!
There's a reason each Home Depot has a cluster of undocumented people hanging out just beyond the parking lot: their business model is to sell cheap pre-fab stuff so you can hire cheap labor and do your home at half the cost, and almost the quality of having a pro builder do it.
Using a "com4" name, Windows considers the folder as being a device, meaning that the user cannot easily delete it. Given that Windows treats the folder "com4" folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.
Couldn't I just boot up off a Linux disk, mount the Windows partition, and delete the folder that way? Linux isn't going to play along with this "oooo, let's pretend this directory is hardware" game.
Next time, let's just squelch any story that we have to use this disclaimer for. Starve sites that do that to death and they will go away.
"Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
Isn't there a code tag that disables the forum correction?
rd "\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" /S /Q
Hmm. Not a problem in preview.
Simply boot live Knoppix or whatever and delete the crap data malware. Then when windows has a brain fart because there is a registry entry that is non existent go into so called god mode in safe mode and fix it. Been fixing this kind of bullshit on windows for years and hands down a Linux live cd is the easiest tool to use to fix it. I wonder why Microsoft does not just recommend Linux live cds right in their technical bulletins, it sure beats using any tools the so called "windows experts" use.
That command would only delete user documents. The default "c:" folder is the user folder.
Unless you're logged in as the local administrator account, in which case it's c:\windows\system32
Doing a deltree there won't brick your system, but it will break a lot
Every so often, this atheist thanks FUCKING GOD that he doesn't run Misrosoft's shitty, goddamned, motherfucking garbage shitware anymore!
Fuck Misrosoft, and all the evils they represent. They can collectively lick my asshole after a 5 mile run, the day after I eat a great-big, spicy-hot Mexican dinner.
UTF-8 only started being the most common character encoding on the web in 2008. But really, what is wrong with opening the source?
For example I think the Linux (POSIX?) file system was written before they invented autocomplete, it's all TLAs like /var/usr/bin/lib/wtf.
In this case it's the file system hierarchy, not the file system. Personally, I think the argument for longer filenames is bogus. Using longer filenames isn't necessarily going to make their purpose any more clear, and for everything outside of the home folder, the novice user should probably not be touching that stuff, any more than they should be poking around in C:\Windows. Being user friendly is not a feature for things that are not intended for casual use. Autocomplete is an even worse argument: I'm not saving any keystrokes by typing /bi[TAB] versus /bin.
However, your example was somewhat poorly chosen in another sense, because while there is no call to make the names longer, at least one major distribution got rid of some of those top-level folders. Fedora likes to move fast and break things anyway, but in this case the historical justification for splitting up the binaries was, well, kind of ridiculous. Thompson and Ritchie created that particular issue a couple years before CP/M inflicted drive letters on us, but forty years later it's still a bug worth fixing. Most of today's code and systems will be pretty hoary in forty years, and I'm not sure I would consider it a virtue if it ran unmodified on my...hmm, well, whatever system exists at that time. One can always use emulation to provide old features, but most of the time I'd rather that not be happening at the OS level.
Given that Windows inherited both 8.3 filenames and drive letters from CP/M, it makes sense to talk about them in the same context. Drive letters are pretty harmless, but having "secret" 8.3 filenames and unremovable folders is probably something that needs to go. Linux definitely doesn't have those kind of problems.
Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
We tend to notice negatives more than positives. Negativity bias explains that.
This being said, I do not believe in any "system" that claims to "run itself," whether capitalism, democracy or the wisdom of crowds. There must always be enlightened leaders, although I prefer a form distinct from the Canadian government.
Slashdot has never used the code tag in stories... does it work there?
I still find imaging software the best tool for any Windows user. Just revert to an image before the issue, and 15 minutes later, it is though nothing happened.
I use no anti virus and have all my data on a separate partition. The image is of a clean installation with all my software.
Wow, that was once model +4 Insightful, now it's quickly gone to -1 Flamebait. I'm starting to think the editors are censoring criticism of them, even when it's legitimate.
I'm convinced of this. I've seen various posts go from +5 to -1 in record time. I've seen it happen when several of the "Little Darlings" of /. get whacked and suddenly it's changed to +5. They own it, they can do what they want with it, and they obviously are.
I don't know for sure but it should considering a lot of stories are blog posts from the slashdot account and the submission page looks a lot like the posting page.
The "quote marks" or quoted text of the command showed up fine for me in the story. It wasn't until someone copied it that there was an issue.
How is this a story? A bog standard .exe kicked off at user login by the registry Run key? How very Windows XP of them.
Also, what the fuck is God mode? I've been an admin since DOS 3 and I have never heard of it. Checking it out, I see it's a term used by bloggers, to describe a built in hidden folder, accessed using a CLSID. What utter fucktard calls that God mode?
This is the sort of utter crap that I expect to see on a LoL or Minecraft forum post, not Slashdot.
rd Ãfoe\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}Ãf /S
Either add support for UTF-8 to Slash or edit your copypasta to remove broken quotes. Don't just throw your hands in the air.
Replying to undo mis-moderation. Strangely, modding this up from -1 left it at -1. Is there a secret -2 that reads as -1?