Fast Antivirus Spot

I scanned a file on virustotal and got this result:

ClamAV0.91.22007.12.27PUA.Packed.Themida
VirusBuster4.3.26:92007.12.27Packed/Themida
F-Prot4.4.2.542007.12.28W32/Heuristic-162!Eldorado
Webwasher-Gateway6.6.22007.12.27Win32.Malware.gen (suspicious)
Sunbelt2.2.907.02007.12.27VIPRE.Suspicious

Is this a virus or a false alarm?

it also says:
PEiD: Themida/WinLicense V1.8.0.2
packers: Themida
and
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
it cut off the result names:
(ill try again)
(in order as above)

PUA Packed Themida
Packed Themida
W32 Heuristic 162 !Eldorado
Win32 Malware gen (suspicious)
Win32 Malware gen (suspicious)

Chosen Answer:

Looks like an attempt to install a backdoor to me.

Themida was originally a type of file encryption designed to protect business software from reverse engineering.

It adds about a bunch of fake data to the source file and then compresses it, resulting in a file size almost 500k larger than the original file.

By way of this process all the internal source and string signatures are obfuscated from plain view.

Unfortunately the Themida packer went rouge about a year ago when the original application was cracked by malware authors.

Now, there’s even videos on youtube showing how to crack the software and use it to create backdoor trojans that will bypass common virus scanners.

If it’s a valid business application on an authorized CD, then maybe it’s a false alarm.. In such a case I would contact the distributor of the software to be on the safe side.

But given the circumstances and presentation of the question on yahoo answers it’s more than likely someone’s attempt at “clever” malware.
by: Zoey Grey
on: 30th December 07