Is UltraSurf reall a virus?

Discussion in 'ESET NOD32 Antivirus' started by berryracer, Dec 14, 2010.

Thread Status:
Not open for further replies.
  1. berryracer
    Offline

    berryracer Suspended Member

    I have been using UltraSurf for years and never had a problem. Recently, NOD32 reports it as :

    UltraSurf 10.04.exe - a variant of Win32/Packed.Themida potentially unwanted application

    I have sent it for analysis but that doesn't help my case.

    Can someone confirm what is this?
  2. AvinashR
    Offline

    AvinashR Registered Member

    Answer is NO. It is packed with Themida software. Actually Themida is a software protection product designed to prevent software from being "cracked" and does use encryption, therefore, is very difficult for any anti-virus to confirm one way or another if its malware.

    Un-fortunately, Themida is highly used by virus writers, keylogger writers, etc., to conceal their malware. That is why Anti-Virus vendors detect Themida packed application as PUA. You have to be sure if the application packed with Themida is legit application or actually a malware. If you are absolutely sure that packed application is legit then go for it else keep one hand distance from that application.
  3. Marcos
    Offline

    Marcos Eset Staff Account

    The fact that a file is packed with Themida and detected so does not make it FP. As far as I know, UltraSurf is not considered clean by other AVs either.
  4. AvinashR
    Offline

    AvinashR Registered Member

    Well please re-read my above statement.
  5. AvinashR
    Offline

    AvinashR Registered Member

    Well UltraSurf is a clean software IMO. As it was packed with Themida, so it was detected by AV vendors.
  6. AvinashR
    Offline

    AvinashR Registered Member

    Well I was not supposed to post VT result, but i want to say that only 4/41 vendors are detecting Ultra Surf as PUA. Well Dr. Web is detecting it as Trojan.Downloader, and i am sure it is FP.

    Rest depends upon AV vendors.
  7. berryracer
    Offline

    berryracer Suspended Member

    Thanks for the informative replies guys!

    Cheers
  8. berryracer
    Offline

    berryracer Suspended Member

    Strangely enough, NOD32 is no longer nagging about it. I dunno if version 10.04 of UltraSurf has enhanced the code or what? strange...anyway, Im keeping it as it has never given me any trouble
  9. Marcos
    Offline

    Marcos Eset Staff Account

    To put it right, UltraSurf is not a perfectly clean application nor malware, it should be rather classified as potentially unsafe. Apparently the application is not digitally signed by its vendor which is one of the factors that increases the level of suspiciousness.
  10. AvinashR
    Offline

    AvinashR Registered Member

    On what basis you are saying that it is not a clean application? Only because it is packed/encrypted with Themida or do you have any strong reason to say it? Or you saying it because it was not Digitally signed by its vendor.

    I heard that it is quite difficult to reverse engineer Themida packed applications...that is why AV vendors flag all Themida packed applications as PUA.. Not sure though .. :)
  11. Marcos
    Offline

    Marcos Eset Staff Account

    Based on what is written on the official website of UltraSurf:
    This makes the application potentially unsafe (ie. unwanted by admins) in certain environments.
  12. AvinashR
    Offline

    AvinashR Registered Member

    Well I have found nothing which says that the application is not clean. I do agree with you that in certain environments like Offices or Schools or other govt. organisation this application can be considered Potentially Unsafe Application, but it is neither a malware or nor a badware.

    Last but not least, No company will write bad things about their product. So I don't know why you said that "It was written on the official website of UltraSurf" ... I haven't found anything bad. :p
  13. elchakan
    Offline

    elchakan Registered Member

    its not a virus, its more like a back door, the group that make those programs use your pc to attack whatever target they want to, your pc basically become part of a huge botnet, plus it may record stuffs that you are doing. :cautious:

    most of the time you wont notice anything, u dont have to belive me, but if u monitor it and let it be on 24h in 4/6 months you may get it making connections to weird sites, some gov.:ninja: sites and if u lucky enough u may catch it making attacks, that is when it use a lot bandwidth, but like i said, most of the time u wont notice anything, the group dont use it every month.

    i tracked 2 attacks, all ips were coming from china.:ninja:

    well use at your own risk, u have been told,

    spread the word.

    cya.
  14. AvinashR
    Offline

    AvinashR Registered Member

    Isn't it as funny JOKE. Ultra-Surf is not a backdoor nor their authors are involved in such a things .. Please do not spread wrong information among users. :mad:
  15. perfectoptimizer
    Offline

    perfectoptimizer Lurker

    FP is alwalys in our life, how these antivirus companies do to avoid that happening again? This is a big issue.
  16. Marcos
    Offline

    Marcos Eset Staff Account

    There will always be certain FPs, however, every AV company should strive for minimizing them to the bare minimum and not flag prevalent clean files at all.

    This case is not FP. The vendor can contact ESET by emailing samples[at]eset.com to sort out the Themida issue. However, it's very likely UltraSurf will remain detected as a potentially unsafe application (detection is disabled by default) due to the purpose it serves for which is likely to be unwanted in certain environments.
  17. aigle
    Offline

    aigle Registered Member

Thread Status:
Not open for further replies.