Is UltraSurf reall a virus?

Discussion in 'ESET NOD32 Antivirus' started by berryracer, Dec 14, 2010.

Thread Status:
Not open for further replies.
  1. berryracer

    berryracer Suspended Member

    Joined:
    Jan 24, 2008
    Posts:
    1,640
    Location:
    Dubai, UAE
    I have been using UltraSurf for years and never had a problem. Recently, NOD32 reports it as :

    UltraSurf 10.04.exe - a variant of Win32/Packed.Themida potentially unwanted application

    I have sent it for analysis but that doesn't help my case.

    Can someone confirm what is this?
     
  2. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Answer is NO. It is packed with Themida software. Actually Themida is a software protection product designed to prevent software from being "cracked" and does use encryption, therefore, is very difficult for any anti-virus to confirm one way or another if its malware.

    Un-fortunately, Themida is highly used by virus writers, keylogger writers, etc., to conceal their malware. That is why Anti-Virus vendors detect Themida packed application as PUA. You have to be sure if the application packed with Themida is legit application or actually a malware. If you are absolutely sure that packed application is legit then go for it else keep one hand distance from that application.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,330
    The fact that a file is packed with Themida and detected so does not make it FP. As far as I know, UltraSurf is not considered clean by other AVs either.
     
  4. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Well please re-read my above statement.
     
  5. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Well UltraSurf is a clean software IMO. As it was packed with Themida, so it was detected by AV vendors.
     
  6. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Well I was not supposed to post VT result, but i want to say that only 4/41 vendors are detecting Ultra Surf as PUA. Well Dr. Web is detecting it as Trojan.Downloader, and i am sure it is FP.

    Rest depends upon AV vendors.
     
  7. berryracer

    berryracer Suspended Member

    Joined:
    Jan 24, 2008
    Posts:
    1,640
    Location:
    Dubai, UAE
    Thanks for the informative replies guys!

    Cheers
     
  8. berryracer

    berryracer Suspended Member

    Joined:
    Jan 24, 2008
    Posts:
    1,640
    Location:
    Dubai, UAE
    Strangely enough, NOD32 is no longer nagging about it. I dunno if version 10.04 of UltraSurf has enhanced the code or what? strange...anyway, Im keeping it as it has never given me any trouble
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,330
    To put it right, UltraSurf is not a perfectly clean application nor malware, it should be rather classified as potentially unsafe. Apparently the application is not digitally signed by its vendor which is one of the factors that increases the level of suspiciousness.
     
  10. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    On what basis you are saying that it is not a clean application? Only because it is packed/encrypted with Themida or do you have any strong reason to say it? Or you saying it because it was not Digitally signed by its vendor.

    I heard that it is quite difficult to reverse engineer Themida packed applications...that is why AV vendors flag all Themida packed applications as PUA.. Not sure though .. :)
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,330
    Based on what is written on the official website of UltraSurf:
    This makes the application potentially unsafe (ie. unwanted by admins) in certain environments.
     
  12. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Well I have found nothing which says that the application is not clean. I do agree with you that in certain environments like Offices or Schools or other govt. organisation this application can be considered Potentially Unsafe Application, but it is neither a malware or nor a badware.

    Last but not least, No company will write bad things about their product. So I don't know why you said that "It was written on the official website of UltraSurf" ... I haven't found anything bad. :p
     
  13. elchakan

    elchakan Registered Member

    Joined:
    Dec 14, 2010
    Posts:
    1
    its not a virus, its more like a back door, the group that make those programs use your pc to attack whatever target they want to, your pc basically become part of a huge botnet, plus it may record stuffs that you are doing. :cautious:

    most of the time you wont notice anything, u dont have to belive me, but if u monitor it and let it be on 24h in 4/6 months you may get it making connections to weird sites, some gov.:ninja: sites and if u lucky enough u may catch it making attacks, that is when it use a lot bandwidth, but like i said, most of the time u wont notice anything, the group dont use it every month.

    i tracked 2 attacks, all ips were coming from china.:ninja:

    well use at your own risk, u have been told,

    spread the word.

    cya.
     
  14. AvinashR

    AvinashR Registered Member

    Joined:
    Dec 26, 2009
    Posts:
    2,060
    Location:
    New Delhi Metallo β-Lactamase 1
    Isn't it as funny JOKE. Ultra-Surf is not a backdoor nor their authors are involved in such a things .. Please do not spread wrong information among users. :mad:
     
  15. perfectoptimizer

    perfectoptimizer Lurker

    Joined:
    Dec 15, 2010
    Posts:
    1
    FP is alwalys in our life, how these antivirus companies do to avoid that happening again? This is a big issue.
     
  16. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,330
    There will always be certain FPs, however, every AV company should strive for minimizing them to the bare minimum and not flag prevalent clean files at all.

    This case is not FP. The vendor can contact ESET by emailing samples[at]eset.com to sort out the Themida issue. However, it's very likely UltraSurf will remain detected as a potentially unsafe application (detection is disabled by default) due to the purpose it serves for which is likely to be unwanted in certain environments.
     
  17. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    10,848
    Location:
    Saudi Arabia/ Pakistan
Thread Status:
Not open for further replies.