GuardMailRu.exe
GuardMailRu Module by LLC Mail.Ru (Signed)
Warning 20 antivirus scanners has detected malware in various versions of GuardMailRu.exe.
Overview
There are 14 versions of guardmailru.exe in the wild, the latest version being 1, 0, 0, 596. It is started as a Windows Service with the name 'Guard.Mail.ru'. During installation, a run registry key for all users is added that will cause the program to run each time any user logs on to Windows. The average file size is about 2.35 MB. The file is a digitally signed and issued to LLC Mail.Ru by Thawte. Numerous variations of guardmailru.exe have been installed with both
[email protected] and
Guard.Mail.ru. During the process's lifecycle, the typical CPU resource utilization is about 0.0014% including both foreground and background operations, the average private memory consumption is about 3.5 MB with the maximum memory reaching around 9.49 MB. Addionally, typically read and write I/O disk operations is about 979.23 KB per minute for reads and 300.21 KB per minute for writes.
Details |
File name: | guardmailru.exe |
Product name: | GuardMailRu Module |
Typical file path: | C:\Program Files\mail.ru\guard\guardmailru.exe |
Certificate |
Issued to: | LLC Mail.Ru |
Authority (CA): | Thawte |
Effective date: | Monday, September 12, 2011 |
Expiration date: | Wednesday, July 2, 2014 |
Windows Service |
Service name: | Guard.Mail.ru |
Type: | Win32OwnProcess |
Programs installed in
(Note, the programs listed below are for all versions of GuardMailRu Module.)
Guard.Mail.ru is part of the Guard Mail service.
Behaviors
(Note, the behaviors below are for all versions of guardmailru.exe, select a unique version for details.)
Services
Runs under 'SYSTEM\CurrentControlSet\Services' by the Service Controller (services.exe)
Startup files (all users) run
Runs under the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
- 'Guard.Mail.ru.gui' → "C:\Program Files\Mail.Ru\Guard\GuardMailRu.exe" /gui
Malware detections
Based on 40+ industry antivirus scanners, 20 of them detected the following malware.
Antivirus engine | Engine version | Detection | File version |
avast! |
8.0.1489.320 |
Win32:BrowserTakeover-A [PUP] |
1, 0, 0, 596 |
avast! |
8.0.1489.320 |
Win32:BrowserTakeover-B [PUP] |
1, 0, 0, 493 |
Baidu Antivirus |
3.5.1.41473 |
Trojan.RuMail.4986 |
1, 0, 0, 556 |
Kingsoft |
2013.4.9.267 |
Win32.HeurC.KVM019.a.(kcloud) |
1, 0, 0, 549 |
Kingsoft |
2013.4.9.267 |
Win32.HeurC.KVM019.a.(kcloud) |
1, 0, 0, 556 |
Kingsoft |
2013.4.9.267 |
Win32.Troj.Undef.(kcloud) |
1, 0, 0, 596 |
McAfee |
5.600.1067 |
Artemis!495EA863690C |
1, 0, 0, 596 |
McAfee Gateway Anti-Malware |
v2013-dat |
Artemis!495EA863690C |
1, 0, 0, 596 |
Rising Antivirus |
24.56.01.04 |
Trojan.RuMail!4986 |
1, 0, 0, 462 |
Rising Antivirus |
24.65.03.05 |
Suspicious |
1, 0, 0, 241 |
Rising Antivirus |
24.55.01.01 |
Trojan.RuMail!4986 |
1, 0, 0, 501 |
Rising Antivirus |
24.81.03.04 |
Trojan.RuMail!4986 |
1, 0, 0, 545 |
Rising Antivirus |
24.81.03.04 |
Trojan.RuMail!4986 |
1, 0, 0, 549 |
Rising Antivirus |
24.83.02.04 |
Trojan.RuMail!4986 |
1, 0, 0, 556 |
Rising Antivirus |
24.85.03.04 |
Trojan.RuMail!4986 |
1, 0, 0, 596 |
Sophos |
4.94.0 |
RsMall |
1, 0, 0, 596 |
Sophos |
4.95.0 |
RsMall |
1, 0, 0, 493 |
Trend Micro HouseCall |
9.700.0.1001 |
TROJ_GEN.F47V1021 |
1, 0, 0, 448 |
Trend Micro HouseCall |
9.700.0.1001 |
TROJ_GEN.F47V0715 |
1, 0, 0, 549 |
Trend Micro HouseCall |
9.700.0.1001 |
TROJ_GEN.F47V1005 |
1, 0, 0, 596 |
All file variations of guardmailru.exe
Distribution by Windows OS
OS version | distribution |
Microsoft Windows XP |
42.86% |
|
Windows 7 Ultimate |
24.49% |
|
Windows 7 Home Basic |
14.29% |
|
Windows 7 Home Premium |
12.24% |
|
Windows 7 Professional |
6.12% |
|
Distribution by country
Russia installs about 32.65% of GuardMailRu Module.
Distribution by PC manufacturer
PC Manufacturer | distribution |
ASUS |
43.24% |
|
Samsung |
13.51% |
|
Dell |
10.81% |
|
Hewlett-Packard |
10.81% |
|
GIGABYTE |
8.11% |
|
American Megatrends |
5.41% |
|
Lenovo |
5.41% |
|
Acer |
2.70% |
|