Malware Taps Windows' 'God Mode'

← Back to Stories (view on slashdot.org)

Malware Taps Windows' 'God Mode'

Posted by msmash on Saturday April 30, 2016 @09:30AM from the bad-guys-getting-smater dept.

Reader wiredmikey writes: Researchers at McAfee have discovered a piece of malware dubbed "Dynamer" that is taking advantage of a Windows Easter Egg -- or a power user feature, as many see it -- called "God Mode" to gain persistency (warning: annoying popup ads) on an infected machine. God Mode, as many of you know, is a handy tool for administrators as it is essentially a shortcut to accessing the operating system's various control settings. Dynamer malware is abusing the function by installing itself into a folder inside of the %AppData% directory and creating a registry run key that persists across reboots. Using a "com4" name, Windows considers the folder as being a device, meaning that the user cannot easily delete it. Given that Windows treats the folder "com4" folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.Fortunately, there's a way to remove it. McAfee writes: Fortunately, there is a way to defeat this foe. First, the malware must be terminated (via Task Manager or other standard tools). Next, run this specially crafted command from the command prompt (cmd.exe): > rd "\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" /S /Q.

3 of 114 comments (clear)

Min score:

Reason:

Sort:

How to remove ANY special filename in Windows by xlsior · 2016-04-30 09:50 · Score: 5, Informative

The Windows GUI will prevent creation and removal of any 'special' foldername that looks like a device: LPT1, COM6, CON, etc.

To remove any of those "special" file/foldernames after the fact, all you need is look for the short 8.3 notation of the filename that the filesystem uses behind the scenes, and which the GUI hides from the end user.
Open a command prompt and navigate to the folder that contains the special name
dir /x will show the associated "short" filename, e.g. co~123 instead of COM4

You can directly remove/rename/etc the file from the command prompt when referring to these short names:
remove a file: del co~123
remove a folder with its contents: rd co~123 /s
1. Re:How to remove ANY special filename in Windows by clovis · 2016-04-30 10:25 · Score: 5, Informative
  
  The Windows GUI will prevent creation and removal of any 'special' foldername that looks like a device: LPT1, COM6, CON, etc.
  To remove any of those "special" file/foldernames after the fact, all you need is look for the short 8.3 notation of the filename that the filesystem uses behind the scenes, and which the GUI hides from the end user.
  Open a command prompt and navigate to the folder that contains the special name
  dir /x will show the associated "short" filename, e.g. co~123 instead of COM4
  You can directly remove/rename/etc the file from the command prompt when referring to these short names:
  remove a file: del co~123
  remove a folder with its contents: rd co~123 /s
  In addition to what xlsior said,
  Regarding the so-called "specially crafted command" in the example,
  (rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q),
  All it is doing is using the \\.\ prefix to tell the parser to skip reserved-word checking.
  For example, you cannot create a folder c:\com4 using MKDIR C:\com4. but MKDIR "\\.\C:\com4" succeeds.
  Likewise with the RMDIR
Re:Well, couldn't I just.... by Anonymous Coward · 2016-04-30 19:19 · Score: 2, Informative

In general, it is preferable to delete Windows malware using Linux because this makes sure the malware isn't running and re-creating files faster than you can delete them.