RE: port 17027

["Ray, Garrett - Mclean" <Garrett.Ray () spacenet com>]

In addition to persistent connection attempts to the Conducent (Timesink,
Multitudes, Interramp, Schoffstall) ad servers, Conducent-enabled shareware
also opens inbound port 20 from time to time (ftp-data). We observed this
only once, but it was from one of the Conducent domains named above. In
another instance we counted several hundred outbound connection attempts by
a single TSAdBot agent over the course of one week. Another user was almost
crippled by the spam which began to arrive shortly after the installation of
the Conducent shareware (can't prove this was related to TSAdBot, but the
timing was strong).



The TSAdbot.exe agent executes from a registry run key under Win32. Users
will rarely notice its installation and execution (esp under Windoze 95/98).
The second best solution short of banning shareware is to (a) kill the
running TSAdbot.exe process and (b) delete the executable from user
machines. Deleting the Conducent app(s) *will not* solve the problem. Once
installed, the shareware apps and the TSAdbot are effectively two separate
and independent programs.



Dvorak wrote a nice little piece about this recently:



http://www.conducent.com/forbes040300.shtm



------------------------------------------------

You have people who have installed "adware" with ads from Conducent,
shareware

programs that go get advertising to show on the desktop from these sites.
IF

you check HTTP traffic to those same IP's you will find a lot more, but if
you

block the HTTP, the programs will try to blow away your network with about
10-15

connect attemtps a second. Best to have companty policy to not install
shareware

without permission.

Look in the clients registry for entries for Conducent, Timesink or Aureate.