Win32/Riern [Threat Name] go to Threat
Win32/Riern.E [Threat Variant Name]
| Category | trojan |
| Size | 57344 B |
| Aliases | Trojan.Win32.Genome.iagy (Kaspersky) |
| Riern (McAfee) | |
| Win32:Riern-D (Avast) |
Short description
Win32/Riern.E installs a backdoor that can be controlled remotely.
Installation
When executed, the trojan creates the following files:
- %appdata%\macromedia\common\%variable1%.dll
- %appdata%\macromedia\common\%variable2%.exe
In order to be executed on every system start, the trojan sets the following Registry entries:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "WAB" = "%appdata%\macromedia\common\%variable2%.exe"
- "rundll32.exe" = ""
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Drivers32]
- "aux1" = "%appdata%\macromedia\common\%variable1%.dll"
- "aux2" = "%appdata%\macromedia\common\%variable1%.dll"
- "midi1" = "%appdata%\macromedia\common\%variable1%.dll"
- "midi2" = "%appdata%\macromedia\common\%variable1%.dll"
- "mixer1" = "%appdata%\macromedia\common\%variable1%.dll"
- "mixer2" = "%appdata%\macromedia\common\%variable1%.dll"
- "wave1" = "%appdata%\macromedia\common\%variable1%.dll"
- "wave2" = "%appdata%\macromedia\common\%variable1%.dll"
A string with variable content is used instead of %variable1-2% .
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of (1) URLs.
It can execute the following operations:
- set up a proxy server
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- log keystrokes
- capture screenshots
The trojan may create the following files:
- %temp%\%variable%.tmp
A string with variable content is used instead of %variable% .
The trojan keeps various information in the following Registry key:
- [HKEY_CURRENT_USER\Software\Macromedia]
- [HKEY_CURRENT_USER\Software\AppDataLow\Software\Macromedia]