After my last blog entry on Grokster, I got some interesting new things to look at.

Eric Howes emailed me with this snippet: “Just tested the Grokster install on a Win2K machine: this thing drops the .NET install bomb on computers without .NET already (which may be why you didn’t see this). No surprise, really, given that it installs, which was the culprit in the previous rounds. As with those previous installs, there is no notice whatsoever that .NET would be installed.”

So Grokster is installing a BIG FAT .NET PAYLOAD!!!  Sounds familiar…

Then Alex Morganis blogs that Grokster is installing a trojan.    Interestingly, he got the same results I did, but F-Secure is tagging one of the files as a trojan. It’s this nasty KVM thing, whose entire purpose in life is to bring down other adware (Eric’s seen it on other sites as well, such as 4w-wrestling(dot)com).

And now, for the final blow, Grokster hoodwinked someone at, who despite their laudable “Zero Tolerance No Adware” policy, has allowed Grokster to be downloaded again.

The version is a different than the one on the Grokster site but pretty darned close.  It still installs Cydoor, which displays ads (within the Grokster app). It still pops you to http://client(dot)grokster(dot)com/us/start/?c=as&ver=265, which provides friendly adware installs.  And then on reboot it prompts the user to install BlueTide Software (Surf Sidekick), which displays pop-up ads on the user’s desktop in response to user web browsing.

This Grokster install at is the second piece of adware we’ve seen back on the site. The other is Warez p2p, which does contextual advertising as well as installing  

One of our researchers reports that after allowing this Grokster installation to fester for a while, the installed software downloaded a raft of other software, including ABI/Aurora.


Alex Eckelberry


Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.