GuardMailRu.exe

GuardMailRu Module

LLC Mail.Ru

The application GuardMailRu.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 11 anti-malware scanners. This file is typically installed with the program Guard.Mail.ru by Mail.Ru. While running, it connects to the Internet address mrds.mail.ru on port 80 using the HTTP protocol.
Publisher:
LLC Mail.Ru  (signed and verified)

Product:
GuardMailRu Module

Version:
1, 0, 0, 310

MD5:
f6cb21c63a99eb0c1fbcd68b5f9497ab

SHA-1:
118fe883e391f654c341aabda5ce2b34edfe6d6f

SHA-256:
bd2f1ab1d2522bcb944210f4f85085cec4ddb96da39b4f264c8c37ce694c0808

Scanner detections:
11 / 68

Status:
Potentially unwanted

Analysis date:
12/25/2024 1:49:03 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:BrowserTakeover-A [PUP]
2014.9-140328

AVG
MalSign.Generic
2015.0.3521

Baidu Antivirus
Trojan.Win32.RuMail
4.0.3.14328

Bkav FE
W32.Clod21c.Trojan
1.3.0.4613

Comodo Security
Application.Win32.RuMail.pwhe
17604

Dr.Web
Adware.Downware.533
9.0.1.087

McAfee
Artemis!E3169A1E78E0
5600.7177

Reason Heuristics
PUP.Optional.MailRu.L
14.3.28.18

Rising Antivirus
Trojan.RuMail!4986
23.00.65.131221

Sophos
RsMall
4.94

Trend Micro House Call
TROJ_GEN.F47V0720
7.2.357

File size:
1.6 MB (1,717,336 bytes)

Product version:
1, 0, 0, 310

Copyright:
Copyright 2010

Original file name:
GuardMailRu.exe

File type:
Executable application (Win32 EXE)

Language:
English (United States)

Common path:
C:\Documents and Settings\{user}\Local settings\temp\guardmailru.exe

Digital Signature
Signed by:

Authority:
Thawte, Inc.

Valid from:
12/9/2011 12:00:00 AM

Valid to:
2/6/2014 11:59:59 PM

Subject:
CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1C09DBBC732D4B58F7A88EBACF323417

File PE Metadata
Compilation timestamp:
12/13/2011 8:04:41 AM

OS version:
5.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
9.0

CTPH (ssdeep):
24576:OM+xOsBh5F4QrL2Ji8vLPbUfmjASwzOrLn1ITtNTM+KagloNsU2djqKM99NeE:Z+UMfMLH+oSEagrU2dj9MTNeE

Entry address:
0x1195FC

Entry point:
E8, 46, C3, 00, 00, E9, 79, FE, FF, FF, 8B, FF, 55, 8B, EC, 83, EC, 20, 57, 56, E8, AB, 0D, 00, 00, 33, FF, 59, 3B, F7, 75, 1D, E8, 53, 0D, 00, 00, 57, 57, 57, 57, 57, C7, 00, 16, 00, 00, 00, E8, C9, C0, FF, FF, 83, C4, 14, 83, C8, FF, EB, 34, 39, 7D, 0C, 74, DE, B9, FF, FF, FF, 7F, C7, 45, EC, 49, 00, 00, 00, 89, 75, E8, 89, 75, E0, 89, 4D, E4, 3B, C1, 77, 03, 89, 45, E4, FF, 75, 14, 8D, 45, E0, FF, 75, 10, FF, 75, 0C, 50, FF, 55, 08, 83, C4, 10, 5F, C9, C3, 8B, FF, 55, 8B, EC, 56, 8B, 75, 08, 8D, 45, 10...
 
[+]

Code size:
1.3 MB (1,333,760 bytes)

The file GuardMailRu.exe has been discovered within the following program.

Guard.Mail.ru  by Mail.Ru
Guard.Mail.ru is part of the Guard Mail service.
www.mail.ru
42% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to mra.mail.ru  (217.69.139.127:80)

TCP (HTTP):
Connects to moscow.cdnmail.ru  (94.100.180.110:80)

TCP (HTTP):
Connects to mrds.mail.ru  (217.69.139.245:80)

Remove GuardMailRu.exe - Powered by Reason Core Security