Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Mix, but don’t shake

Read: 22093 Comments: 2 Rating: 10

Friday, April 27, 2018

Recently, we told you about extensions and links. Even without delving into the intricacies of a Windows OS device, it’s clear that these are two vastly different, completely unrelated things. What will happen if we use them together? So, we mix, we shake, and...

Windows Vista, 7, 8 and 10 incorporate an interesting fine-tuning feature, the so-called GodMode. This mode lets users manage all the Windows settings via a user-friendly GUI menu. How can a user access this mode?

  1. Right-click any empty space on your desktop.
  2. Select "Create" and create a new folder.
  3. Rename the folder: GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}. You can use any other characters in place of GodMode.

This folder will contain all the settings, including those not contained in the "Control Panel" or "Options" menu:

#drweb

https://geektimes.ru/post/80098

This feature is not very popular, but it is interesting. And attackers have come up with a way to exploit it!

The Trojan Dynamer writes its files to one of the folders available in GodMode inside %AppData%.

The executable is run on a command from the registry, but it is impossible to manually open this folder because the folder into which the Trojan ({241D7C96-F8BF-4F85-B01F-E2B043341A4B}) places its files acts as a shortcut to the settings "RemoteApp and Desktop Connections".

#drweb

And here is the content of the folder if opened in Explorer.

#drweb

https://geektimes.ru/post/275164

So, we've got links; now let's add extensions. The fact is that extensions can be associated not just with certain types of files—they can also indicate that a file is a device. For Windows users this sounds strange (note: for Linux users it’s normal), but it’s actually a standard OS feature that makes it possible to address different things (files, memory, and many others) via a unified interface.

The authors of the Trojan prepended the name “com4" to the folder. As a result, Windows treats the folder as a hardware device. Windows Explorer cannot delete a folder with this name!

#drweb

Similarly, it can not be deleted via the console.

https://geektimes.ru/post/275164

Of course, it’s impossible to delete this folder manually. But an anti-virus can do the job!

#Windows #Trojan #anti-virus_scan

The Anti-virus Times recommends

An anti-virus can access different OS sectors—even those that cannot be accessed by ordinary users. It has to be able to do this in order to counter malware that hides its activity in a system.

That’s why only an anti-virus scan can drive malicious programs out of every nook and cranny of your computer.

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments