Win32/Riern [Threat Name] go to Threat

Win32/Riern.E [Threat Variant Name]

Category trojan
Size 57344 B
Aliases Trojan.Win32.Genome.iagy (Kaspersky)
  Riern (McAfee)
  Win32:Riern-D (Avast)
Short description

Win32/Riern.E installs a backdoor that can be controlled remotely.


When executed, the trojan creates the following files:

  • %appdata%\­macromedia\­common\­%variable1%.dll
  • %appdata%\­macromedia\­common\­%variable2%.exe

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "WAB" = "%appdata%\­macromedia\­common\­%variable2%.exe"
    • "rundll32.exe" = ""
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Drivers32]
    • "aux1" = "%appdata%\­macromedia\­common\­%variable1%.dll"
    • "aux2" = "%appdata%\­macromedia\­common\­%variable1%.dll"
    • "midi1" = "%appdata%\­macromedia\­common\­%variable1%.dll"
    • "midi2" = "%appdata%\­macromedia\­common\­%variable1%.dll"
    • "mixer1" = "%appdata%\­macromedia\­common\­%variable1%.dll"
    • "mixer2" = "%appdata%\­macromedia\­common\­%variable1%.dll"
    • "wave1" = "%appdata%\­macromedia\­common\­%variable1%.dll"
    • "wave2" = "%appdata%\­macromedia\­common\­%variable1%.dll"

A string with variable content is used instead of %variable1-2% .

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs.

It can execute the following operations:

  • set up a proxy server
  • download files from a remote computer and/or the Internet
  • run executable files
  • send files to a remote computer
  • log keystrokes
  • capture screenshots

The trojan may create the following files:

  • %temp%\­%variable%.tmp

A string with variable content is used instead of %variable% .

The trojan keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Macromedia]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­Software\­Macromedia]

Please enable Javascript to ensure correct displaying of this content and refresh this page.