Is UltraSurf reall a virus?

[berryracer]

I have been using UltraSurf for years and never had a problem. Recently, NOD32 reports it as :

UltraSurf 10.04.exe - a variant of Win32/Packed.Themida potentially unwanted application

I have sent it for analysis but that doesn't help my case.

Can someone confirm what is this?

[AvinashR]

Quote:

Originally Posted by Matrix Leader

I have been using UltraSurf for years and never had a problem. Recently, NOD32 reports it as :

UltraSurf 10.04.exe - a variant of Win32/Packed.Themida potentially unwanted application

I have sent it for analysis but that doesn't help my case.

Can someone confirm what is this?

Answer is NO. It is packed with Themida software. Actually Themida is a software protection product designed to prevent software from being "cracked" and does use encryption, therefore, is very difficult for any anti-virus to confirm one way or another if its malware.

Un-fortunately, Themida is highly used by virus writers, keylogger writers, etc., to conceal their malware. That is why Anti-Virus vendors detect Themida packed application as PUA. You have to be sure if the application packed with Themida is legit application or actually a malware. If you are absolutely sure that packed application is legit then go for it else keep one hand distance from that application.

[Marcos]

Quote:

Originally Posted by AvinashR

Answer is NO.

The fact that a file is packed with Themida and detected so does not make it FP. As far as I know, UltraSurf is not considered clean by other AVs either.

[AvinashR]

Quote:

Originally Posted by Marcos

The fact that a file is packed with Themida and detected so does not make it FP. As far as I know, UltraSurf is not considered clean by other AVs either.

Well please re-read my above statement.

[AvinashR]

Quote:

Originally Posted by Marcos

UltraSurf is not considered clean by other AVs either.

Well UltraSurf is a clean software IMO. As it was packed with Themida, so it was detected by AV vendors.

[AvinashR]

Well I was not supposed to post VT result, but i want to say that only 4/41 vendors are detecting Ultra Surf as PUA. Well Dr. Web is detecting it as Trojan.Downloader, and i am sure it is FP.

Rest depends upon AV vendors.

[berryracer]

Thanks for the informative replies guys!

Cheers

[berryracer]

Strangely enough, NOD32 is no longer nagging about it. I dunno if version 10.04 of UltraSurf has enhanced the code or what? strange...anyway, Im keeping it as it has never given me any trouble

[Marcos]

To put it right, UltraSurf is not a perfectly clean application nor malware, it should be rather classified as potentially unsafe. Apparently the application is not digitally signed by its vendor which is one of the factors that increases the level of suspiciousness.

[AvinashR]

Quote:

Originally Posted by Marcos

To put it right, UltraSurf is not a perfectly clean application nor malware, it should be rather classified as potentially unsafe. Apparently the application is not digitally signed by its vendor which is one of the factors that increases the level of suspiciousness.

On what basis you are saying that it is not a clean application? Only because it is packed/encrypted with Themida or do you have any strong reason to say it? Or you saying it because it was not Digitally signed by its vendor.

I heard that it is quite difficult to reverse engineer Themida packed applications...that is why AV vendors flag all Themida packed applications as PUA.. Not sure though ..

[Marcos]

Quote:

Originally Posted by AvinashR

On what basis you are saying that it is not a clean application?

Based on what is written on the official website of UltraSurf:

Quote:

UltraSurf allows you to overcome the censorship and blockage on the Internet.

This makes the application potentially unsafe (ie. unwanted by admins) in certain environments.

[AvinashR]

Quote:

Originally Posted by Marcos

Based on what is written on the official website of UltraSurf:

This makes the application potentially unsafe (ie. unwanted by admins) in certain environments.

Well I have found nothing which says that the application is not clean. I do agree with you that in certain environments like Offices or Schools or other govt. organisation this application can be considered Potentially Unsafe Application, but it is neither a malware or nor a badware.

Last but not least, No company will write bad things about their product. So I don't know why you said that "It was written on the official website of UltraSurf" ... I haven't found anything bad.

[elchakan]

Quote:

Originally Posted by Matrix Leader

I have been using UltraSurf for years and never had a problem. Recently, NOD32 reports it as :

UltraSurf 10.04.exe - a variant of Win32/Packed.Themida potentially unwanted application

I have sent it for analysis but that doesn't help my case.

Can someone confirm what is this?

its not a virus, its more like a back door, the group that make those programs use your pc to attack whatever target they want to, your pc basically become part of a huge botnet, plus it may record stuffs that you are doing.

most of the time you wont notice anything, u dont have to belive me, but if u monitor it and let it be on 24h in 4/6 months you may get it making connections to weird sites, some gov. sites and if u lucky enough u may catch it making attacks, that is when it use a lot bandwidth, but like i said, most of the time u wont notice anything, the group dont use it every month.

i tracked 2 attacks, all ips were coming from china.

well use at your own risk, u have been told,

spread the word.

cya.

[AvinashR]

Isn't it as funny JOKE. Ultra-Surf is not a backdoor nor their authors are involved in such a things .. Please do not spread wrong information among users.

[perfectoptimizer]

FP is alwalys in our life, how these antivirus companies do to avoid that happening again? This is a big issue.

[Marcos]

Quote:

Originally Posted by perfectoptimizer

FP is alwalys in our life, how these antivirus companies do to avoid that happening again? This is a big issue.

There will always be certain FPs, however, every AV company should strive for minimizing them to the bare minimum and not flag prevalent clean files at all.

This case is not FP. The vendor can contact ESET by emailing samples[at]eset.com to sort out the Themida issue. However, it's very likely UltraSurf will remain detected as a potentially unsafe application (detection is disabled by default) due to the purpose it serves for which is likely to be unwanted in certain environments.

[aigle]

I will just stay away from UltraSurf though I have no way to confirm the OP,s views in this thread.

http://www.wilderssecurity.com/showt...ight=UltraSurf