After my last blog entry on Grokster, I got some interesting new things to look at.

Eric Howes emailed me with this snippet: “Just tested the Grokster install on a Win2K machine: this thing drops the .NET install bomb on computers without .NET already (which may be why you didn’t see this). No surprise, really, given that it installs BroadcastPC.tv, which was the culprit in the previous rounds. As with those previous installs, there is no notice whatsoever that .NET would be installed.”

So Grokster is installing a BIG FAT .NET PAYLOAD!!!  Sounds familiar…

Then Alex Morganis blogs that Grokster is installing a trojan.    Interestingly, he got the same results I did, but F-Secure is tagging one of the files as a trojan. It’s this nasty KVM thing, whose entire purpose in life is to bring down other adware (Eric’s seen it on other sites as well, such as 4w-wrestling(dot)com).

And now, for the final blow, Grokster hoodwinked someone at Download.com, who despite their laudable “Zero Tolerance No Adware” policy, has allowed Grokster to be downloaded again.

The download.com version is a different than the one on the Grokster site but pretty darned close.  It still installs Cydoor, which displays ads (within the Grokster app). It still pops you to http://client(dot)grokster(dot)com/us/start/?c=as&ver=265, which provides friendly adware installs.  And then on reboot it prompts the user to install BlueTide Software (Surf Sidekick), which displays pop-up ads on the user’s desktop in response to user web browsing.

This Grokster install at Download.com is the second piece of adware we’ve seen back on the download.com site. The other is Warez p2p, which does contextual advertising as well as installing new.net.  

One of our researchers reports that after allowing this Grokster installation to fester for a while, the installed software downloaded a raft of other software, including ABI/Aurora.

Madness.

Alex Eckelberry