Malware misuses the Windows God Mode to hide itself

God Mode, the hidden Windows tweak is the latest to be used by hackers and malware writers to hide malware on Windows computers. Cyber criminals are now placing files inside this master control panel, commonly called as GodMode to redirect users to malware. It lets users collect all of their Control Panel functions and PC controls and accessibility options in a single folder.

As per the report posed by McAfee, the new so-called God Mode threat brings a malware, Dynamer, which is installed inside %AppData% of one of these folders.godmode

Dynamer malware hides inside the God Mode folder

A registry run key value is created to persist across reboots. (The executable name is dynamic.)

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsm = C:\Users\admin\AppData\Roaming\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\lsm.exe

The folder containing this new malware initially opens normally, but when the folder, “com4. {241D7C96-F8BF-4F85-B01F-E2B043341A4B}” is accessed, the user is redirected to the Desktop Connections control panel and RemoteApp.

Furthermore, the attackers have named the malware directory as com4 which is forbidden by normal cmd.exe commands and is treated as a device, thereby preventing users from deleting the folder using typical console commands or Windows Explorer.

For those who don’t know about GodMode, it is a very handy but hidden feature in Windows, which allows users to create a quick access folder which actually works as a shortcut to all their Windows settings.

God Mode is specially used to create a shortcut to the Control Panel and other basic Windows settings like My Computer, or printer etc. GodMode is a very easy-to-install feature and works on almost every version of Windows. It has been a part of the Microsoft Windows OS for almost a decade now. To be specific, GodMode brings all aspects of your Windows PC controls in a single place.

Now when the hackers are using GodMode, also known as Super Mode for their evil deeds. McAfee advises using the following technique to kill the problem:

First, the malware must be terminated (via Task Manager or other standard tools). Next, run this specially crafted command from the command prompt (cmd.exe):

rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q

Stay safe!

Posted by with Tags
Shiwangi Peswani is a qualified writer and a blogger, who loves to dabble with and write about computers and the Internet. While focusing on and writing on technology topics, her varied skills and experience enables her to write on any topics which may interest her.