Malware Taps Windows' 'God Mode'

Reader wiredmikey writes: Researchers at McAfee have discovered a piece of malware dubbed "Dynamer" that is taking advantage of a Windows Easter Egg -- or a power user feature, as many see it -- called "God Mode" to gain persistency (warning: annoying popup ads) on an infected machine. God Mode, as many of you know, is a handy tool for administrators as it is essentially a shortcut to accessing the operating system's various control settings. Dynamer malware is abusing the function by installing itself into a folder inside of the %AppData% directory and creating a registry run key that persists across reboots. Using a "com4" name, Windows considers the folder as being a device, meaning that the user cannot easily delete it. Given that Windows treats the folder "com4" folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.Fortunately, there's a way to remove it. McAfee writes: Fortunately, there is a way to defeat this foe. First, the malware must be terminated (via Task Manager or other standard tools). Next, run this specially crafted command from the command prompt (cmd.exe): > rd "\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}" /S /Q.

Payload?

[The+New+Guy+2.0]

Nice that Macaffe found the uninstall instructions for this... but what is the payload they were trying to deploy. The God Mode install of a file device is a way to get in that must be closed. but what did this do if left installed? Knowing what this does if left alone leads to who to blame.

How to remove ANY special filename in Windows

[xlsior]

The Windows GUI will prevent creation and removal of any 'special' foldername that looks like a device: LPT1, COM6, CON, etc.

To remove any of those "special" file/foldernames after the fact, all you need is look for the short 8.3 notation of the filename that the filesystem uses behind the scenes, and which the GUI hides from the end user.
Open a command prompt and navigate to the folder that contains the special name
dir /x will show the associated "short" filename, e.g. co~123 instead of COM4

You can directly remove/rename/etc the file from the command prompt when referring to these short names:
remove a file: del co~123
remove a folder with its contents: rd co~123 /s

Re:How to remove ANY special filename in Windows

[93+Escort+Wagon]

dir /x will show the associated "short" filename, e.g. co~123 instead of COM4

Wait a minute... Windows is still using that bastardized dual naming system, 20 years in?

God help you a Windows users...

Re:How to remove ANY special filename in Windows

[clovis]

The Windows GUI will prevent creation and removal of any 'special' foldername that looks like a device: LPT1, COM6, CON, etc.

To remove any of those "special" file/foldernames after the fact, all you need is look for the short 8.3 notation of the filename that the filesystem uses behind the scenes, and which the GUI hides from the end user.

Open a command prompt and navigate to the folder that contains the special name

dir /x will show the associated "short" filename, e.g. co~123 instead of COM4

You can directly remove/rename/etc the file from the command prompt when referring to these short names:

remove a file: del co~123

remove a folder with its contents: rd co~123 /s

In addition to what xlsior said,

Regarding the so-called "specially crafted command" in the example,
  (rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q),

All it is doing is using the \\.\ prefix to tell the parser to skip reserved-word checking.
For example, you cannot create a folder c:\com4 using MKDIR C:\com4. but MKDIR "\\.\C:\com4" succeeds.
Likewise with the RMDIR

Re:How to remove ANY special filename in Windows

[lgw]

Backwards compatibility is important. Why drop it? 16-bit support is finally gone, but I suspect only because everything anyone still uses (games) has been virtualized already.

Re:How to remove ANY special filename in Windows

[dwywit]

Apropos your user ID.

It's called backwards compatibility.

Re:How to remove ANY special filename in Windows

[Kjella]

Uh huh. And the main drive is still called C: because A: and B: were floppy drives once. Some things aren't worth changing, simply because it'd break lots of existing code for no particular reason. For example I think the Linux (POSIX?) file system was written before they invented autocomplete, it's all TLAs like /var/usr/bin/lib/wtf. But I care roughly as much as that drives in Windows start on C:, which is to say very very little.

Re:How to remove ANY special filename in Windows

[The+MAZZTer]

It is still possible for the short name to be COM4. In any case, you can use the special format: \\?\C:\etc\etc\com4 in a del or similar command. It will usually work as long as the command passes it straight through to the Windows API function calls.

Re:How to remove ANY special filename in Windows

Backwards compatibility is important. Why drop it? 16-bit support is finally gone, but I suspect only because everything anyone still uses (games) has been virtualized already.

16 bit is only gone if you are running the 64 bit version of Windows. if you are running the 32 bit version, which for some bizaare reason still exists, even in Windows 10, then you can still run 16 bit programs.

Re:How to remove ANY special filename in Windows

[tlhIngan]

Backwards compatibility is important. Why drop it? 16-bit support is finally gone, but I suspect only because everything anyone still uses (games) has been virtualized already.

16 bit is only gone if you are running the 64 bit version of Windows. if you are running the 32 bit version, which for some bizaare reason still exists, even in Windows 10, then you can still run 16 bit programs.

16 bit is gone because AMD64 does not support it. It was an architectural decision. Win64 can only run Win64 and Win32 apps because that's all the underlying processor supports To run 16 bit requires an emulator - which is what the virtualization products do - they run the 16 bit code in an emulator until it switches to 32 bit mode at which point they run the code on the hardware itself.

Windows 10 supports 32 bit because there are a lot of products where it doesn't make sense - low cost PCs often have 1-2 GB of RAM, so why run 64 bit? I mean, my tablet runs 32-bit Windows 10 because it has 1GB of RAM (and it only cost $100) And of course, I have a couple of Win16 apps that I still can't find equivalents for. Of course, Win16 runs under an emulated Windows 3.1 environment and Windows 10 needs to install the NTVDM emulator for Win16 (complete with classic Win3.1 iconography).

Re:How to remove ANY special filename in Windows

[yuriklastalov]

spaces in paths are an abomination any way

Fix Only From Command Prompt?

[organgtool]

Next, run this specially crafted command from the command prompt (cmd.exe): > rd âoe\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}â /S /Q.

What? Clearly windows is not ready for the desktop!

Re:Unsmart quotes

[The+New+Guy+2.0]

Quotes at the command line join together strings that contain spaces... it's basically a one-character escape sequence that keeps the name of the object (directory or filename) together even when it contains a space.

Bad security as a result of paradoxical goals

[bretts]

Designing a computer for the "average person" makes as much sense as designing chainsaws for children. Every "butt wiper" that Microsoft crams into the OS to make it more "user-friendly" ends up being some kind of security hole eventually, at which point the users shrug and keep on clicking CUTE_CAT_VIDEO.EXE shortly before they throw up their hands and proclaim that computers are too hard.

Well, couldn't I just....

[SeaFox]

Using a "com4" name, Windows considers the folder as being a device, meaning that the user cannot easily delete it. Given that Windows treats the folder "com4" folder differently, Windows Explorer or typical console commands are useless when attempting to delete it.

Couldn't I just boot up off a Linux disk, mount the Windows partition, and delete the folder that way? Linux isn't going to play along with this "oooo, let's pretend this directory is hardware" game.

Re:Well, couldn't I just....

In general, it is preferable to delete Windows malware using Linux because this makes sure the malware isn't running and re-creating files faster than you can delete them.

"warning: annoying popup ads"

[Gojira+Shipi-Taro]

Next time, let's just squelch any story that we have to use this disclaimer for. Starve sites that do that to death and they will go away.

Re:Unix Filesystem Heirarchy

[tlhIngan]

In this case it's the file system hierarchy, not the file system. Personally, I think the argument for longer filenames is bogus. Using longer filenames isn't necessarily going to make their purpose any more clear, and for everything outside of the home folder, the novice user should probably not be touching that stuff, any more than they should be poking around in C:\Windows. Being user friendly is not a feature for things that are not intended for casual use. Autocomplete is an even worse argument: I'm not saving any keystrokes by typing /bi[TAB] versus /bin.

Well, depends. Most people seem to think /sbin /bin are relatively interchangeable, with perhaps /sbin holding "superuser" binaries (hence the 's'). OTOH, the s really meant static, so /sbin held staticly linked binaries so in an emergency, you could try to recover your system using those tools. (Its why it's /sbin/init - the environment isn't set up yet for the dynamic linker). And people think it's superuser stuff because well, those tools are generally what superusers use (because you're using them to fix your computer).

Similary, people think /usr is where the "user" stuff goes - applications and programs users use. Instead, it's Unix System Resources which contains things that make this Unix system useful to users.

Of course, these days it's all a mish-mash and a binary can be somewhere - dynamics in /sbin, statics in /bin, executables in /opt and /var, etc.