From: "Jagg" <jagg@it.invalid>
> On Mon, 13 Jun 2011 03:19:53 GMT, Dustin wrote:
>
>> Jagg <jagg@it.invalid> wrote in
>> news:1bfa3iesaf0hj.1f77jb3neybus.dlg@40tude.net:
>>
>>> Malwarebytes and a few others claim it is a trojan but the majority
>>> of AV does not. All the big names scanners do not detect it as a
>>
>> You'd have to be more specific. A logfile sample would be of great value.
>> Or, better yet, you should post to the malwarebytes forum. you can find
>> it here:
>>
>> http://forums.malwarebytes.org/
>
> I see Softpedia used to host it but no longer do and the same with CNET.
> Either someone has done a good smear camnpaign on it or it really is a
> trojan. I would like to know 100% one way or another. I do have a MBAM log
> file but is it on another PC right now and will post it later. Here are
> some links of interest though and you could dload Ultrasurf and scan it
> yourself because it does warrant investigation due to the fact there are
> probably thousands of people using it with no idea it may be a trojan
> because most AV does not flag it as such.
>
> http://www.ultrareach.com/usercenter_en.htm
>
> http://www.how-to-hide-ip.info/2009/...surf-a-trojan/
>
> http://www.rosoftdownload.com/downlo...ows/ultrasurf/
> "RoSoftDownload.com team has tested UltraSurf against viruses, spyware,
> adware, trojan, backdoors and was found to be 100% clean of any form of
> malware..
> Our editors will test this application periodically to assure that it
> remains clean.
> Click the link below to view the entire antivirus report."
>
> http://www.wilderssecurity.com/showthread.php?t=288844
> "I have been using UltraSurf for years and never had a problem. Recently,
> NOD32 reports it as :
>
> UltraSurf 10.04.exe - a variant of Win32/Packed.Themida potentially
> unwanted application
>
> I have sent it for analysis but that doesn't help my case.
>
> Can someone confirm what is this?
>
> Answer is NO. It is packed with Themida software. Actually Themida is a
> software protection product designed to prevent software from being
> "cracked" and does use encryption, therefore, is very difficult for any
> anti-virus to confirm one way or another if its malware.
>
> Un-fortunately, Themida is highly used by virus writers, keylogger writers,
> etc., to conceal their malware. That is why Anti-Virus vendors detect
> Themida packed application as PUA. You have to be sure if the application
> packed with Themida is legit application or actually a malware. If you are
> absolutely sure that packed application is legit then go for it else keep
> one hand distance from that application."
>
> http://www.wilderssecurity.com/showt...ight=UltraSurf
> "As many of you are aware, there was a thread about dissecting Ultrasurf.
> We found significant malware behavior, and worst of all we found that
> ultrasurf promotes man in the middle attacks by allowing any ssl cert, even
> mismatched and self-signed certs and preventing the user from seeing a
> popup about it.
>
> Ultrasurf is designed to be a free http proxy tool, and it is somewhat, but
> this is a cover for it to be a virus / malware that is nearly stealth and
> undetectable to normal virus scanners because of it's heuristic avoidance
> and encrypted payloads.
>
> At this time we recommend everyone to delete ultrasurf and download a free
> copy of VBA32 antivirus which will correctly identify it, as all other
> antivirus software does not."
Apparently this is grey area software. An annonymizing proxy client that has been used
maliciously (to what extent I do not know).
http://www.virustotal.com/file-scan/...198-1307934742
--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp
Reply With Quote