home

GuardMailRu.exe

GuardMailRu Module

LLC Mail.Ru

The application GuardMailRu.exe by LLC Mail.Ru has been detected as a potentially unwanted program by 12 anti-malware scanners. It is set to automatically execute when any user logs into Windows (through the local user run registry setting) with the name ‘Guard.Mail.ru.gui’. This is the uninstaller utility registered in the Windows Control Panel for the program Guard@Mail.Ru by Mail.ru. While running, it connects to the Internet address mrds.mail.ru on port 80 using the HTTP protocol.
Publisher:
LLC Mail.Ru  (signed and verified)

Product:
GuardMailRu Module

Version:
1, 0, 10, 846

MD5:
3bc593520565fe33e87eb3b31f5ab7db

SHA-1:
3fd73b622d1db3f83d8d48a80d87dc2b2f94c8f3

SHA-256:
76cbb74a992d83001746da2c5187021a64290a6ea5b482ead02c2d52f1810b47

Scanner detections:
12 / 68

Status:
Potentially unwanted

Analysis date:
4/26/2024 5:28:47 AM UTC  (today)

Scan engine
Detection
Engine version

avast!
Win32:BrowserTakeover-A [PUP]
2014.9-141120

AVG
MalSign.Generic
2015.0.3285

Baidu Antivirus
Trojan.Win32.RuMail
4.0.3.141120

Bkav FE
W32.Clodc0a.Trojan
1.3.0.4613

Comodo Security
Application.Win32.RuMail.pwhe
17604

Dr.Web
Adware.Downware.533
9.0.1.0324

McAfee
Artemis!E3169A1E78E0
5600.6941

Reason Heuristics
PUP.Optional.MailRu.L
14.11.20.6

Rising Antivirus
PE:Trojan.RuMail!1.6574
23.00.65.141118

Sophos
RsMall
4.96

Trend Micro House Call
TROJ_GEN.F47V1102
7.2.324

XVirus List
Win.Detected
2.3.31

File size:
3.8 MB (3,946,216 bytes)

Product version:
1, 0, 10, 846

Copyright:
Copyright 2010

Original file name:
GuardMailRu.exe

File type:
Executable application (Win32 EXE)

Common path:
C:\Program Files\mail.ru\guard\guardmailru.exe

Digital Signature
Signed by:
LLC Mail.Ru

Authority:
Thawte, Inc.

Valid from:
8/19/2014 4:00:00 AM

Valid to:
8/13/2016 3:59:59 AM

Subject:
CN=LLC Mail.Ru, O=LLC Mail.Ru, L=Moscow, S=Moscow, C=RU

Issuer:
CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US

Serial number:
3C484F9655CF5CDDA51678E773A55BF3

File PE Metadata
Compilation timestamp:
11/18/2014 2:18:21 PM

OS version:
5.1

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
12.0

CTPH (ssdeep):
98304:YIxER0dESMY4G4HH54/2cHNKSdlATNf4J1n+0RrhWG:HSR0ddBL4n54/2oKS3DNb

Entry address:
0x1E6F4C

Entry point:
E8, 75, 12, 01, 00, E9, 7F, FE, FF, FF, E9, 80, 02, 00, 00, 6A, 0C, 68, 90, 68, 75, 00, E8, E9, 13, 01, 00, 83, 65, E4, 00, 8B, 5D, 0C, 8B, C3, 8B, 7D, 10, 0F, AF, C7, 8B, 75, 08, 03, F0, 89, 75, 08, 83, 65, FC, 00, 4F, 89, 7D, 10, 78, 0C, 2B, F3, 89, 75, 08, 8B, CE, FF, 55, 14, EB, EE, 33, C0, 40, 89, 45, E4, C7, 45, FC, FE, FF, FF, FF, E8, 14, 00, 00, 00, E8, EA, 13, 01, 00, C2, 10, 00, 8B, 7D, 10, 8B, 5D, 0C, 8B, 75, 08, 8B, 45, E4, 85, C0, 75, 0B, FF, 75, 14, 57, 53, 56, E8, 01, 00, 00, 00, C3, 6A, 14...
 
[+]

Entropy:
6.6175

Code size:
2.8 MB (2,927,104 bytes)

2 Program Uninstaller
Program name:
Guard@Mail.Ru

Display publisher:
Mail.ru

Display version:
1.0.0.620

Uninstall string:
"C:\Program Files\Mail.Ru\Guard\GuardMailRu.exe" /uninstall

Program name:
Guard.Mail.Ru

Display publisher:
Mail.Ru

Uninstall string:
C:\Program Files\Mail.Ru\Guard\GuardMailRu.exe /uninstall


Startup File (All Users Run)
Registry location:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Name:
Guard.Mail.ru.gui

Command:
"C:\Program Files\mail.ru\guard\guardmailru.exe" \gui


The executing file has been seen to make the following network communications in live environments.

TCP (HTTP):
Connects to vrrp-hoe.p.mail.ru  (217.69.134.55:80)

TCP (HTTP):
Connects to mrds.mail.ru  (217.69.139.245:80)

TCP (HTTP):
Connects to vrrp-kirka.p.mail.ru  (217.69.134.56:80)

Remove GuardMailRu.exe - Powered by Reason Core Security
herdProtect is a second line of defense malware removal platform powered by 68 anti-malware engines in the cloud. Since no single anti-malware program is perfect 100% of the time, herdProtect utilizes a 'herd' of multiple engines to guarantee the widest coverage and the earliest possible detection.