Sponsored by..

Friday 3 December 2010

Beware of worid-of-books.com

worid-of-books.com is a fake book download site punting malicious executables. The strange name can be explained if you substitute the lowercase "i" with an uppercase one, giving worId-of-books.com which is presumably meant to fool people.

The site looks reasonably credible and appears to have about a million downloadable books, but they are not all that they seem to be. If you try to download a book, you get an EXE file instead of a PDF. What's in the EXE file? Well, malware of course! Detection is fairly patchy according to VirusTotal, but this appears to be a Cycbot variant.

Download it a second time and you actually do get a PDF file.. well, an 8 byte file that just says "PDF file" and nothing else. Subsequent attempts seem to fail with an error message of "We are sorry, this book is now being checked. Try to download it later!". It's pretty clear that worid-of-books.com is tracking visitors (perhaps by IP address) to stop them being able to repeat the infection.

The site is hosted on which is Asociatia Family Network Connections / FAMILY-NETWORK in Romania, along with a whole load of other sites. It's worth blocking everything in this IP range.

The ThreatExpert report is here, it might help you clean up your machine if infected.


Paul said...

This is one of the very few times I got fooled. I was searching for a particular ebook, and this site listed it. I downloaded the file [booktitle].pdf.exe, and the little warning bell in my head didn't go off like it should have.

I think I removed all the files manually, but I'm not sure if there are any registry entries.

These 3 files showed up in the Task Manager:

Using Jotti's online malware detector, most antivirus products found a virus, but didn't agree on the name. Several said it was Gen:Variant.Kazy.3079. No other name appeared more than once.

It found Nsc.exe to be identical to Ntesoa.exe.

I didn't keep the original pdf.exe file, but some time later, I downloaded another one from the same evil WORID website, and, using Jotti, most virus checkers did not detect anything. Several found Gen:Variant.Kazy.3079

Mary Curtis said...

I discovered this terrible site because one of my books was offered as a free download. I am an author and my work is copyrighted. I clicked "Abuse" and told them to stop displaying my book as I did not ever consent to a free download. Rest assured that I will get the word out to avoid worid-of-books.com!

Unknown said...

I jumped at the offer of a free download of a fairly obscure and hard-to-get scholarly article. My up-to-date Norton anti-virus failed to recognise the threat on the google search-page, but it did detect something amiss before I opened the file. It didn't name the threat, but recommended deletion. Which I promptly did, but we'll see... guess I'd better check my Task Manager. There's one born every minute, and I'm one of them.

Roger McKeon said...

I was hit as well. These people are crooks. When I tried to download a book, what I got instead were three infected files:

C:\Documents and Settings\...\Local Settings\Temp\Fwk.exe --> Gen:Variant.Kazy.9776
--> c:\windows\tasks\{62c40aa6-4406-467a-a5a5-dfdf1b559b7a}.job

C:\DOCUME~1\...\LOCALS~1\Temp\Fwl.exe --> Gen:Variant.Kazy.9776
--> Process Fwl.exe (1332)

C:\DOCUME~1\...\LOCALS~1\Temp\Fwm.exe --> Gen:Variant.Kazy.9776
--> Process Fwm.exe (184)

BitDefender QuickScan ( http://quickscan.bitdefender.com/ ) & Malwarebytes ( http://www.malwarebytes.org/ ), both free, saved the day.

DO NOT DOWNLOAD ANYTHING from worid-of-books.com.

Ruaidhrí said...

I just got caught with this aswell, anti-Malware software doesn't seem to be detecting it, can anyone let me know the best way to remove this without purchasing expensive software? Time's are tight you know

Roger McKeon said...

Ruaidhrí : Have you tried BitDefender QuickScan (http://quickscan.bitdefender.com/)?

The free version did the job for me, in conjunction with Malwarebytes (http://www.malwarebytes.org/), also free. (Start with BitDefender, then use Malwarebytes to clean up.)

Good luck to you.

Ruaidhrí said...

Cheers, that did the business Roger. What a relief!

Go raibh míle maith agat