Re: Port 1975 again

[bejtlich () TEXAS NET (Richard Bejtlich)]

Hello,

The outbound connections you are seeing are most likely the result of 
advert.dll, installed with one of the shareware programs listed at 
this link:

http://www.aureate.com/downloads/network_members.html

advert.dll implements advertisements in shareware products like CuteFTP.  
It pulls ads from remote servers and displays them in the application.  
These ads are the "price" for some shareware these days.

Here is Aureate's FAQ on the advertising system:

http://manage.aureate.com/developers/sdk_doc/faq.html

A person calling himself "Kept_Anonymous" detailed his experience with 
advert.dll, port 1975, and CuteFTP here:

http://crazyboy.com/fravia/fravia.org/sha2adw.htm

I do not know if you can cripple the ad retrieval system without damaging 
the underlying application.

Happy new year,

Richard