W32/Ovagur, Dropper.Generic.GKQ, Dropper.Small.ewm, W32/Smalldrp.JWY
Category: Computer Virus
Active & Spreading
Some parts of Asia, Europe, North and South America, Africa and Australia
31 Oct 2006
On October 31, 2006, a virus that can infect .exe files in removable disks and network mapped drives was discovered. The virus was called W32.Ovagur. This kind of virus mainly affects Windows systems. These systems include Windows 2000, 95, 98, Me, NT Server 2003 and XP. The damage this virus brings might not be that contagious, but important files will be lost once W32.Ovagur is installed in the computer.
W32.Ovagur Removal Tool
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer virus removal tool to automatically clean W32.Ovagur from your computer.
More details about W32.Ovagur
W32.Ovagur is installed by performing several actions. First, it drops two files: %Windir%\ocmsn.old and %System%\NvVid.sys. Then, it produces a copy of itself as %System%\NvVid.exe. Two other files are created: %Windir%\ocmsn.log and %Windir%\ocgen.log. Under two system registry subkeys, the virus creates entries allowing NvVid.sys to be registered as a service. Creation of entries enables a value to be added to the system registry subkey. The worm uses a rootkit driver making its access to be hidden to other files. Next, the worm finds drives from D to Z and looks for .exe files. There are some .exe files that are larger than 200,000 bytes. Those files are mostly found in a network mapped drive and removable drives such as USB drive. If these files are detected by the virus, large .exe files would be infected. Moreover, the virus drops %Temp%\tmp107.tmp, which is basically a copy of Trojan.Dropper and other files which are copies of Backdoor.Haxdoor.N.
The W32.Ovagur program is typically used to spread adware, spyware, and Trojan software. This can cause random pop-up advertisements to appear whenever the system is connected to the Internet. The user’s browsing habits are also monitored and sent to a remote server. This is used to build a consumer profile and send more specific advertising. The software may allow a remote user to control the infected system.