Trojan uses Windows “god mode” to hide in the system

As you know, in the operating system Windows Vista, 7, 8 and 10 there is a kind of Easter eggs - GodMode (God mode) . Starting with Vista, you can create a folder with a specific name that redirects to Windows settings or service folders such as Control Panel, Computer, Printers, and so on.

For example, if you create a folder on your desktop called GodMode. {ED7BA470-8E54-465E-825C-99712043E01C} (instead of GodMode, you can specify any characters), then all settings will be displayed inside, including those that are not included in the menu "Control Panel" or "Options": screenshot .

Very handy feature for managing settings in the system and for system administration.
')
Unfortunately, the regime of God is used not only by system administrators, but also by the authors of viruses.

Experts from the antivirus company McAfee Labs talk about the Dynamer Trojan, which uses the God mode to hide from detection in the system.

Dynamer during installation writes its files to one of these folders inside% AppData%. A key is created in the registry, which is saved after a reboot, launching the malware binary every time.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsm = C:\Users\admin\AppData\Roaming\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\lsm.exe 

Thus, the executable file is normally launched by a command from the registry, but you cannot manually enter this folder: as indicated in the list above, the {241D7C96-F8BF-4F85-B01F-E2B043341A4B} folder works as a shortcut to the “Connect to computers and programs on Workplace ”(RemoteApp and Desktop Connections).



Here is the contents of the folder, if you open it in Windows Explorer.



Moreover, the Trojan authors have added the folder "com4." To the name, so that Windows considers the folder to be a hardware device. Windows Explorer cannot delete a folder with this name.



Similarly, deletion is not possible from the console.



Normal antiviruses bypass this virus maker trick. To delete a folder manually, you need to run the following command from the console.

rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q

The Dynamer Trojan was first discovered several years ago, but Microsoft still considers it a “ serious threat ” to Windows users.

As a bonus.

A list of folder names (GUIDs) in God mode for quick access to individual Windows settings

Action Center. {BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}
Backup and Restore. {B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}
Biometric Devices. {0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}
Credential Manager. {1206F5F1-0569-412C-8FEC-3204630DFB70}
Default Location. {00C6D95F-329C-409a-81D7-C46C66EA7F33}
Devices and Printers. {A8A91A66-3A7D-4424-8D24-04E180695C7A}
Display. {C555438B-3C23-4769-A71F-B6D3D9B6053A}
HomeGroup. {67CA7650-96E6-4FDD-BB43-A8E774F73A57}
Location and Other Sensors. {E9950154-C418-419e-A90A-20C5287AE24B}
Notification Area Icons. {05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}
Recovery. {9FE63AFD-59CF-4419-9775-ABCC3849F861}
RemoteApp and Desktop Connections. {241D7C96-F8BF-4F85-B01F-E2B043341A4B}
Speech Recognition. {58E3C745-D971-4081-9034-86E34B30836A}
Troubleshooting. {C58C4893-3BE0-4B45-ABB5-A63E4B8C8651}
Administrative Tools. {D20EA4E1-3957-11d2-A40B-0C5020524153}
All .NET Frameworks and COM Libraries. {1D2680C9-0E2A-469d-B787-065558BC7D43}
All Tasks (Control Panel). {ED7BA470-8E54-465E-825C-99712043E01C}
AutoPlay. {9C60DE1E-E5FC-40f4-A487-460851A8D915}
BitLocker Drive Encryption. {D9EF8727-CAC2-4e60-809E-86F80A666C91}
Computer Folder. {20D04FE0-3AEA-1069-A2D8-08002B30309D}
Default Programs. {17cd9488-1228-4b2f-88ce-4298e93e0966}
Ease of Access Center. {D555645E-D4F8-4c29-A827-D93C859C4F2A}
Font Settings. {93412589-74D4-4E4E-AD0E-E0CB621440FD}
Get Programs. {15eae92e-f17a-4431-9f28-805e482dafd4}
Manage Wireless Networks. {1FA9085F-25A2-489B-85D4-86326EEDCD87}
Network and Sharing Center. {8E908FC9-BECC-40f6-915B-F4CA0E70D03D}
Network Connections. {7007ACC7-3202-11D1-AAD2-00805FC1270E}
Network Folder. {208D2C60-3AEA-1069-A2D7-08002B30309D}
Parental Controls. {96AE8D84-A250-4520-95A5-A47A7E3C548B}
Performance Information and Tools. {78F3955E-3B90-4184-BD14-5397C15F1EFC}
Personalization. {ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}
Power Options. {025A5937-A6BE-4686-A844-36FE4BEC8B6D}
Programs and Features. {7b81be6a-ce2b-4676-a29e-eb907a5126c5}
Sync Center. {9C73F board-7AE7-4E32-A8E8-8D23B85255BF}
System. {BB06C0E4-D293-4f75-8A90-CB05B6477EEE}
User Accounts. {60632754-c523-4b62-b45c-4172da012619}
Windows Firewall. {4026492F-2F69-46B8-B9BF-5654FC07E423}
Windows SideShow. {E95A4861-D57A-4be1-AD0F-35267E261739}
Windows Update. {36eef7db-88ad-4e81-ad49-0e313f0c35f8}

For a complete list of GUIDs with supported Windows versions, see the Microsoft documentation .