A multicomponent rootkit that can infect both 32-bit and 64-bit versions of Windows. The installation process is initiated by a shellcode created using a special method (Return-oriented programming) and executed in explorer.exe. At that, Trojan.Gapz.1 employs undocumented features implemented in the interface event handler.
Moreover, the bootkit's installer attempts to bypass UAC by exploiting two vulnerabilities—the first one is related to incorrect processing of a registry key when the EnableEUDC feature is executed, and the second one is a vulnerability in the graphics subsystem (when using the specially crafted Dexter Regular font).
Trojan.Gapz.1 analyzes the hard drive structure of the infected computer, initializes the system partition, generates a special binary image and places it to reserved partitions. After that, the Trojan modifies only one field in the BOOT sector forcing the system loader to download and execute the malicious code. At that, MBR (Master Boot Record) remains unchanged.
Trojan.Gapz.1 is a kernel of a multicomponent malicious program whose main purpose is to create a suitable environment to download other malicious components contained in the binary image loaded from the disk. These modules are implemented as blocks of assembled code that, when executed, interacts with the rootkit's API.