Windows ‘God Mode’ Feature Exploited by New Malware to Avoid Identification

Researchers have identified a new malware taking advantage of Windows God Mode and infecting users.

Malware in a Window OS is not a new thing but Microsoft claimed that apps in Windows 10 will automatically detect the presence of malware — However, the Dynamer malware breached Windows OS security by exploiting God Mode.

God Mode is a uniquely labeled feature that has been part of the Microsoft Windows OS for almost a decade. This feature appears like an Easter egg and lets users access numerous functions quickly. It doesn’t develop additional improvements in the computer but creates a folder containing a collection of most frequently used and most useful control panel options. This folder is an extremely important one because unlike other folders it does not display a folder icon after being created and turns itself into a God Mode link. It also treats system directories in a completely different manner.


But, according to the analysis of McAfee researchers, God Mode feature contains a malicious code that uses the similar name as the God Mode folder to evade detection. Considering the importance of this folder, this revelation is indeed unsettling that Windows God Mode is being exploited by a malware. God Mode is although a very integral and commonly known system tweak from Microsoft but as of now it hasn’t been officially documented. This is why a number of applications and tools cannot access items that are contained in this particular folder and hence, the folder presents the perfect opportunity for a malware to penetrate and hide into a system.

Don’t worry there is a way to get rid of this malware

As per McAfee researchers, the feature is plagued by a new version of the already existing malware Dynamer. Once it is installed in a device it quickly deploys itself in the AppData directory of Windows OS and then easily establishes its presence in a master control panel directory, which is identical to God Mode.

If the user suspects the presence of this malware and even manages to track down the location of the executable, the modified folder would again connect to the Desktop Connections control panel and RemoteApp item because the malware’s developer has taken extreme care in making it irremovable. The malware uses folder name “com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}”, which is a master stroke because in Windows OS anything that has Com4 in its name will be given special privileges. So, Internet Explorer and cmd.exe also consider this folder as a device and thus, the fake folder becomes immune to file management and console commands.

Windows 10 is spying on you, but there’s a way out

Hackers Sending Fake Windows 10 Upgrade Ransomware Email, Encrypts Every File


However, don’t lose heart because it is only named as God Mode but there is no divinity involved in this case and it can be removed easily since the malware only uses some exploitable vulnerabilities of Windows. You can easily delete it by killing all the processes from Task Manager and then on the command prompt entering this command: “rd “\\.\%appdata%\com4.{241D7C96-F8BF-4F85-B01F-E2B043341A4B}” /S /Q.”

This command will delete the malware by deleting the directory. But this issue has highlighted the main problem at hand, which is that Microsoft has to do something to stop directories from being created so easily. Otherwise, several other malware will emerge and make use of Windows features.

There’s more on this malware on Mcafee’s blog.

Related Posts