Threat behavior
Spyware:Win32/Conducent is adware that may be bundled with other software or off-the-shelf computer games.
Installation
Win32/Conducent may be bundled and installed by a third-party program. When installed, the following directories may be created on an affected machine:
%ProgramFiles%\flexpak
%ProgramFiles%\timesink
The following files may be dropped into these directories:
tsad.dll
tsuninstaller.exe
tsadbot.exe
tsinstall.exe
tsinst.exe
ts001.exe
tsinst.msi
tschannelconfig.exe
ctinstall.exe
gpinstall.exe
ctchanconfig.dll
A component named 'flexactv.dll' is written to the %windir% folder. Next, the registry is modified to run Win32/Conducent at each Windows start:
Adds value: "timesink ad client"
With data: <Conducent path>\<Conducent executable>
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Adds value: %windir%\flexactv.dll
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls
Additional Information
Note: The Conducent Affiliate Network includes CD-Rom distributors as well as online distributors. Hence, buyers of 'off-the-shelf' software by eGames™ (www.egames.com) may be surprised to find Conducent installed along with their purchases.
Analysis by Subratam Biswas
Prevention
