home

GuardMailRu.exe

GuardMailRu Module

LLC Mail.Ru

The application GuardMailRu.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 11 anti-malware scanners. It runs as a separate (within the context of its own process) windows Service named “Guard.Mail.ru”. This file is typically installed with the program Guard@Mail.Ru by Mail.Ru. While running, it connects to the Internet address kojura.mail.ru on port 80 using the HTTP protocol.
Publisher:
LLC Mail.Ru  (signed and verified)

Product:
GuardMailRu Module

Version:
1, 0, 0, 596

MD5:
495ea863690c0e074751600c29993b4d

SHA-1:
9a71c4e80927fd79e68f2faac4b6a2a3b78c9cb6

SHA-256:
e40e515ce5381cdc351df7ec7bd40edbfbf027213538720352ae5e55a33ddc84

Scanner detections:
11 / 68

Status:
Potentially unwanted

Analysis date:
11/27/2024 2:00:41 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:BrowserTakeover-A [PUP]
2014.9-131230

AVG
MalSign.Generic
2015.0.3521

Baidu Antivirus
Trojan.Win32.RuMail
4.0.3.14328

Bkav FE
W32.Clod21c.Trojan
1.3.0.4613

Comodo Security
Application.Win32.RuMail.pwhe
17604

Dr.Web
Adware.Downware.533
9.0.1.087

McAfee
Artemis!495EA863690C
5600.7265

Reason Heuristics
PUP.Optional.Service.L
14.3.28.18

Rising Antivirus
Trojan.RuMail!4986
23.00.65.131228

Sophos
RsMall
4.94

Trend Micro House Call
TROJ_GEN.F47V1005
7.2.364

File size:
6.6 MB (6,956,576 bytes)

Product version:
1, 0, 0, 596

Copyright:
Copyright 2010

Original file name:
GuardMailRu.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\mail.ru\guard\guardmailru.exe

Digital Signature
Signed by:
LLC Mail.Ru

Authority:
Thawte, Inc.

Valid from:
12/9/2011 3:00:00 AM

Valid to:
2/7/2014 2:59:59 AM

Subject:
CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
1C09DBBC732D4B58F7A88EBACF323417

File PE Metadata
Compilation timestamp:
10/4/2013 1:26:57 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
10.0

CTPH (ssdeep):
196608:1kBkStuon/LkqnayrTzXbYnO0mDe8ioBq:1kBkSAon/Lkx4TzMnO0/8nBq

Entry address:
0x1A29E0

Entry point:
E8, 24, D2, 00, 00, E9, 89, FE, FF, FF, 8B, FF, 55, 8B, EC, 5D, E9, 06, 0F, 00, 00, 8B, FF, 51, C7, 01, AC, 2C, 62, 00, E8, A1, D2, 00, 00, 59, C3, 8B, FF, 55, 8B, EC, 56, 8B, F1, E8, E3, FF, FF, FF, F6, 45, 08, 01, 74, 07, 56, E8, CC, FF, FF, FF, 59, 8B, C6, 5E, 5D, C2, 04, 00, 8B, FF, 55, 8B, EC, 8B, 45, 08, 83, C1, 09, 51, 83, C0, 09, 50, E8, 55, 86, 00, 00, F7, D8, 59, 1B, C0, 59, 40, 5D, C2, 04, 00, CC, CC, CC, CC, CC, CC, CC, CC, CC, CC, 8D, 42, FF, 5B, C3, 8D, A4, 24, 00, 00, 00, 00, 8D, 64, 24, 00...
 
[+]

Code size:
2 MB (2,056,192 bytes)

Service
Display name:
Guard.Mail.ru

Type:
Win32OwnProcess


The file GuardMailRu.exe has been discovered within the following programs.

Guard.Mail.ru  by Mail.Ru
Guard.Mail.ru is part of the Guard Mail service.
www.mail.ru
42% remove it
Guard@Mail.Ru  by Mail.Ru
Guard@Mail.Ru is part of the Guard Mail service.
42% remove it
 
Powered by Should I Remove It?

The executing file has been seen to make the following network communication in live environments.

TCP (HTTP):
Connects to kojura.mail.ru  (217.69.133.27:80)

Remove GuardMailRu.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.