guardicq.exe

GuardMailRu Module

LLC Mail.Ru

The application guardicq.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 2 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Guard.Mail.ru”. This file is typically installed with the program Guard.ICQ by Mail.Ru. While running, it connects to the Internet address mra.mail.ru on port 80 using the HTTP protocol.
Publisher:
LLC Mail.Ru  (signed and verified)

Product:
GuardMailRu Module

Version:
1, 0, 0, 296

MD5:
e859ca020ed61899f3c74a8d0032d05c

SHA-1:
da1c996598d1755d8b2b77081ea5bbc23125d10e

SHA-256:
6bdb0e1e8aa0ca2afe82eeb86936e824dc5d8473d1539a953ea5369db04e63ce

Scanner detections:
2 / 68

Status:
Potentially unwanted

Analysis date:
11/23/2024 2:59:15 AM UTC  (today)

Scan engine
Detection
Engine version

Reason Heuristics
PUP.Optional.Service.I
14.3.28.18

Rising Antivirus
PE:Trojan.RuMail!1.6574
23.00.65.131217

File size:
1.5 MB (1,564,368 bytes)

Product version:
1, 0, 0, 296

Copyright:
Copyright 2010

Original file name:
GuardMailRu.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Program Files\guard-icq\guardicq.exe

Digital Signature
Signed by:

Authority:
Thawte Consulting (Pty) Ltd.

Valid from:
1/10/2010 7:00:00 PM

Valid to:
1/11/2012 6:59:59 PM

Subject:
CN=LLC Mail.Ru, OU=Secure Application Development, O=LLC Mail.Ru, L=Moscow, S=Moscow region, C=RU

Issuer:
CN=Thawte Code Signing CA, O=Thawte Consulting (Pty) Ltd., C=ZA

Serial number:
18187BCC2DAF1EDD44A2F454900EC5DC

File PE Metadata
Compilation timestamp:
11/21/2011 11:18:17 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:rwg4BjexvdPuMgba5oZNqnVXo7QuaYURf89VAtEOknFzxHec2m0V0:r4Bsv5z5SqBOnOkPHec2m00

Entry address:
0xF80C3

Entry point:
E8, 62, C0, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 57, 56, E8, B4, 1A, 00, 00, 33, FF, 59, 3B, F7, 75, 1D, E8, 52, 1A, 00, 00, 57, 57, 57, 57, 57, C7, 00, 16, 00, 00, 00, E8, A7, C5, FF, FF, 83, C4, 14, 83, C8, FF, EB, 34, 39, 7D, 0C, 74, DE, B9, FF, FF, FF, 7F, C7, 45, EC, 49, 00, 00, 00, 89, 75, E8, 89, 75, E0, 89, 4D, E4, 3B, C1, 77, 03, 89, 45, E4, FF, 75, 14, 8D, 45, E0, FF, 75, 10, FF, 75, 0C, 50, FF, 55, 08, 83, C4, 10, 5F, C9, C3, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 8D, 45, 10...
 
[+]

Entropy:
6.5132

Code size:
1.1 MB (1,197,056 bytes)

Service
Display name:
Guard.Mail.ru

Description:
Guard.ICQ: Protects browsers settings (version 1.0.0.296)

Type:
Win32OwnProcess


The file guardicq.exe has been discovered within the following program.

Guard.ICQ  by Mail.Ru
About 5% of users remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mra.mail.ru  (217.69.139.127:80)

Remove guardicq.exe - Powered by Reason Core Security