Firewall Wizards mailing list archives
Re: strange icmp packets (tsadbot)
From: youngk () ttc com
Date: Sat, 20 Mar 1999 14:59:49 -0500
We have been seeing these for many months. Mostly at a very low level,
and
I would not have noticed them at all except that they hit a private
subnet
that has never had any machines on it. They also hit other IP addresses that do exist. But when I see icmp response packets when there was no query packet, I assume an attempt at a stealth scan.
I have noticed strange icmp packets originating from several of our internal machines going to the 149.1.1.x network. After asking the users who were sitting at the Win95/Win98/WinNT desktop machines, they said that they had "no idea why their PC was doing that". I did some research and discovered a daemon running on each PC called "tsadbot". After looking into this further, I found out that some programs (specifically in my case PKZIP Shareware for Windows) install an advertising program which will ping the 149.1.1.x network every X minutes while the PC is on. It is installed and used by PKZIP to download/display advertisements on your PC. It is not installed if you purchase the full-blown PKZIP for Windows, but continues to run after the shareware trial period and even if you uninstall the product. The advertiser's site didn't mention how to remove it (or what the product does over the Internet), so I figured out the simple solution. I don't know if this violates your software vendor's license agreement, so use at your own risk. Remove "tsadbot.exe" from this registry key, reboot the machine, then delete "tsadbot.exe" from the \WINDOWS\ directory. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run <rant> Why do vendors assume that once you install their software, they have control over your PC and what you want to do with it? If I were a competing ad vendor, should I have the "right" to remove this software and install my own? Why is it that if you buy software, you buy everything that also gets installed with it (no matter if you know what it is or not)... </rant> --Keith -youngk () ttc com
Current thread:
- Re: strange icmp packets (tsadbot) youngk (Mar 21)