McAfee says that while the Easter Egg is great for power users, it is also being used by attackers for "evil ends". By placing files within the God Mode shortcut folder, malware such as Dynamer is able to run undetected on a victim's computer.
McAfee researchers explain: "It allows users to create a specially named folder that acts as a shortcut to Windows settings and special folders, such as control panels, My Computer, or the printers folder. This "God Mode" can come in handy for admins, but attackers are now using this undocumented feature for evil ends. Files placed within one of these master control panel shortcuts are not easily accessible via Windows Explorer because the folders do not open like other folders, but rather redirect the user".
In the case of Dynamer, a registry key is created that runs automatically when Windows starts, and it persists through reboots:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run lsm = C:\Users\admin\AppData\Roaming\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}\lsm.exe This command not only allows the malware to run, but also opens the RemoteApp and Desktop Connections control panel entry as cover. In using the name 'com4' the malware writers have made life for victims a little trickier. As this is detected as a Windows command, deletion of the file is blocked.
McAfee advises using the following technique to kill the problem:
- First, the malware must be terminated (via Task Manager or other standard tools).
- Next, run this specially crafted command from the command prompt (cmd.exe):
rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /QPhoto Credit: Stocksnapper/Shutterstock
~ Mark Wilson
0 comments:
Post a Comment