Windows God Mode being used to help spread malware
May 3, 2016
Shah Sheikh (1294 articles)
Share

Windows God Mode being used to help spread malware

Few years back, a tweak that turned on “God Mode” in Windows was uncovered. Now, malware authors are starting to use this mode to their advantage.

For those who aren’t familiar with God Mode, here’s how it works. Instead of typing IDDQD at a command prompt, all you have to do is create a new folder and name it something like GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}. Double-click it, and you’ll see a folder with access to just about every settings screen Windows has to offer.

It doesn’t grant you any additional “powers,” but it gives you a handy one-stop shop for changing your Windows configuration. It’s easy enough to see how God Mode could be helpful to a power user, but what about malware?

According to McAfee researchers, it’s all to do with those individual entries in the God Mode folder. The malware they discovered hides itself in a folder with a non-standard name. Instead of trying to look like something that’s buried in your System32 or WinSXS folder, it copies the structure used by the God Mode entries.

ss7

Slap a name like com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B} on a folder when it’s created and you won’t get a normal folder icon — or normal folder behavior. If you double-click it to open it, you’ll be redirected to an empty remote desktop connection screen inside the Control Panel.

Why would a malware author do that? Because it makes it harder to delete the malware from a computer. You can’t simply highlight the folder and delete it, and you can’t use del or rmdir from a command prompt to get rid of it either.

This technique doesn’t invoke actual degreelessness for the malware, though. McAfee says their security software can remove it without breaking a sweat, and you can remove it from a command prompt by first killing the malicious process in task manager and adding a couple flags to the rd command — check McAfee’s post for the details.

Source | Geek