Beyond good ol’ Run key, Part 12

May 21, 2014 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

After googling around I couldn’t find any reference to Rover autostart mechanism, so here is a quick introduction for you:

Adding this key [key only is enough]:

  • HKEY_CLASSES_ROOT\CLSID\{16d12736-7a9e-4765-bec6-f301d679caaa}

and dropping the following file:

  • c:\windows\system32\rover.dll

with an exported function called RunMonitor will cause rover.dll to be loaded.anytime user logs in [it’s loaded by userinit.exe].

Tested on Windows 7 and Windows 8.1.


I have received a few questions with regards to this post, so here are some notes that I hope will be helpful:

  • Despite being placed under HKCR, it’s not a regular COM entry
  • It’s an equivalent of a Boolean flag stored in Registry; same as a presence of a file on a disk
    • If key exists
      { do something }
  • I believe it’s a part of some testing/QA platform; maybe some exotic extension used only in special builds [Windows is actually full of these conditionally loaded DLLs]

Note: For unknown reason this post disappeared. Re-adding it. (suspecting wordpress hiccup; update: after checking logs it looks more like a DB problem and it was restored by the provider from a backup /removing the post on the way/)

Comments are closed.