Aliases: W32/Ovagur, Dropper.Generic.GKQ, Dropper.Small.ewm, W32/Smalldrp.JWY
Variants: W32.Ovagur!inf

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 31 Oct 2006
Damage: Low

Characteristics: On October 31, 2006, a virus that can infect .exe files in removable disks and network mapped drives was discovered. The virus was called W32.Ovagur. This kind of virus mainly affects Windows systems. These systems include Windows 2000, 95, 98, Me, NT Server 2003 and XP. The damage this virus brings might not be that contagious, but important files will be lost once W32.Ovagur is installed in the computer.

More details about W32.Ovagur

W32.Ovagur is installed by performing several actions. First, it drops two files: %Windir%\ocmsn.old and %System%\NvVid.sys. Then, it produces a copy of itself as %System%\NvVid.exe. Two other files are created: %Windir%\ocmsn.log and %Windir%\ocgen.log. Under two system registry subkeys, the virus creates entries allowing NvVid.sys to be registered as a service. Creation of entries enables a value to be added to the system registry subkey. The worm uses a rootkit driver making its access to be hidden to other files. Next, the worm finds drives from D to Z and looks for .exe files. There are some .exe files that are larger than 200,000 bytes. Those files are mostly found in a network mapped drive and removable drives such as USB drive. If these files are detected by the virus, large .exe files would be infected. Moreover, the virus drops %Temp%\tmp107.tmp, which is basically a copy of Trojan.Dropper and other files which are copies of Backdoor.Haxdoor.N.

The W32.Ovagur program is typically used to spread adware, spyware, and Trojan software. This can cause random pop-up advertisements to appear whenever the system is connected to the Internet. The user’s browsing habits are also monitored and sent to a remote server. This is used to build a consumer profile and send more specific advertising. The software may allow a remote user to control the infected system.