- Win32/Gapz utilizes a known vulnerability with older versions of Microsoft that allows a dropper to be installed in the explorer.exe address space. This allows for detection evasion, privilege escalation, and finally host infection via shellcode in explorer.exe address space. The signature looks for associated user-agents that come paired with known vulnerable versions of Microsoft that are obsolete and not utilized in current versions (ex. MSIE 9 instead of Edge).
- Explorer.exe dropper injection
Known False Positive Indicators
- To locate if this has falsely tripped the host version will need to be verified against the affected host list below. If a vulnerable host is detected it will need to be scanned for malicious software usually affecting VBR or MBR via Explorer.exe command execution.
- x86: Windows XP SP2 and higher (except Windows Vista and Vista SP1)
- x64: Windows Vista SP2 and higher
TROJAN Possible Win32/Gapz MSIE 9 on Windows NT 5
- No correlating DNS request