'Re: strange icmp packets (tsadbot)'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewall-wizards
Subject:    Re: strange icmp packets (tsadbot)
From:       youngk () ttc ! com
Date:       1999-03-20 19:59:49
[Download RAW message or body]


> We have been seeing these for many months.  Mostly at a very low level,
and
> I would not have noticed them at all except that they hit a private
subnet
> that has never had any machines on it.  They also hit other IP addresses
> that do exist.  But when I see  icmp response packets when there was no
> query packet, I assume an attempt at a stealth scan.

I have noticed strange icmp packets originating from several of our
internal machines going to the 149.1.1.x network. After asking the users
who were sitting at the Win95/Win98/WinNT desktop machines, they said that
they had "no idea why their PC was doing that".

I did some research and discovered a daemon running on each PC called
"tsadbot". After looking into this further, I found out that some programs
(specifically in my case PKZIP Shareware for Windows) install an
advertising program which will ping the 149.1.1.x network every X minutes
while the PC is on. It is installed and used by PKZIP to download/display
advertisements on your PC. It is not installed if you purchase the
full-blown PKZIP for Windows, but continues to run after the shareware
trial period and even if you uninstall the product.

The advertiser's site didn't mention how to remove it (or what the product
does over the Internet), so I figured out the simple solution.

I don't know if this violates your software vendor's license agreement, so
use at your own risk.

Remove "tsadbot.exe" from this registry key, reboot the machine, then
delete "tsadbot.exe" from the \WINDOWS\ directory.
     HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

<rant>
Why do vendors assume that once you install their software, they have
control over your
PC and what you want to do with it? If I were a competing ad vendor, should
 I have the
"right" to remove this software and install my own? Why is it that if you
buy software,
you buy everything that also gets installed with it (no matter if you know
what it is
or not)...
</rant>

--Keith
-youngk@ttc.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic