Kaspersky
Solved

Trojan.Multi.BroSubsc.gen

  • 11 January 2020
  • 7 replies
  • 3307 views

Good evening,
a few days ago Kaspersky Internet Security 20(.0.14.1085(g)) detected and removed Trojan.Multi.BroSubsc.gen from system memory on my notebook.

This seems to have been successful, because Kaspersky Rescue-CD did not report any malware afterwards. 

Nevertheless I`m searching for documentation what this kind of trojan exactly does / how it works - for example: make changes to \system32\drivers\etc\HOSTS, load and install other malware, alter (system) files or registry entries, modify / add / damage Firefox / Chrome extensions etc.

The only information I have found so far is:
https://threats.kaspersky.com/en/threat/Trojan.Multi.BroSubsc/
which provides very few details.

I`d be happy about any advice / suggestions. Thank you all!

Greetings
Steffen

icon

Best answer by FLOOD 13 January 2020, 10:36

Hello  @Steffen,

You’re very welcome!

Thank you for replying and for the detailed information:clap_tone3:

Please let us know what Kaspersky Technical Support advise?

Thank you:pray_tone3:

 

View original

7 replies

Userlevel 7
Badge +6

Hello @Steffen,

Welcome!

(My understanding) TROJAN.MULTI.BROSUBSC hijacks contaminated browsers. The Trojan.Multi.BroSubsc.gen verdict is issued when scanning startup objects if the browser settings (currently supported by Chrome, Yandex, Opera, Vivaldi) detectable URLs that give these advertising notifications are registered. 

For a deep dive: Kaspersky Technical Support should be able to assist. Normally, they would require the file to analyse, however, as it’s been resolved, they should still be able to seek information from the VirusLab experts. 

They may still ask for a GSI & Windows Logs

After you submit the request, you’ll receive an automated email with an INC+12 digits reference #, then, normally, within 5 business days, a Kaspersky Lab human will contact you, also by email, you may continue to communicate with them via reply email & or by updating the INC in your MyKaspersky.com account.

Please let us know what they say?

Thank you:pray_tone3:

Userlevel 7
Badge +6

Hi, @Steffen ,
Users often complain about advertising notifications in the browser that appear as a result of rash actions on questionable (and not only) sites. In case of consent to accept notifications from the site, unwanted resources appear in the browser settings.

The verdict Trojan.Multi.BroSubsc.gen is issued when checking startup objects if browser settings (now supported by Chrome, Yandex, Opera, Vivaldi, the list will be expanded in the future) detectable URLs that issue these advertising notifications. During treatment, the status of such URLs changes from "Allow" to "Block".
The specified signature was added on February 13, 2019.

You need to follow the recommendations from this article: https://www.kaspersky.com/blog/disable-browser-notifications/23225/

Also clear the browser history completely by pressing the keyboard shortcut in the launched browser: Shift + Ctrl + Delete, set all markers except passwords and select delete / clear history for all time.

Then clear the antivirus reports and perform a full scan.

Thank you both very much for your fast replies and great assistance! :slight_smile:

@FLOOD
I will follow your advice and contact Kaspersky Technical Support.

In the last weeks I had some problems. At first Adblock Plus reinstalled itself each time I started Vivaldi and than Kaspersky reported a few times that it had to restart itself because an error had occurred.

Unfortunately, because I was very busy, I can`t remember the exact sequence of events.

Last thursday I downloaded files from Zippyshare using Opera (65.0.3467.78 x64). KIS reported that the .rar files were clean but the infection apparently was caused by one of the advertisement sites Zippyshare usually opens. The next day after starting my notebook the Kaspersky icon was red and the program stated that it was damaged and had to be reinstalled. After removing KIS a reboot and reinstalling, it immediately detected the trojan. Then:

1. KIS asked to reboot Windows in order to delete it => "trojan has been successfully removed"
2. KIS full scan -> nothing found
3. Desinfec't 2019 scan (Ubuntu live system CD from https://www.heise.de/ct/ using scan engines from Eset, F-Secure, Kaspersky and Sophos) -> Eset reported 3 suspicious folders in Opera temp folder
=> I started the Boot-CD file manager and deleted everything in that folder
4. Kaspersky Rescue CD scan -> nothing found

This is the reason why I want to make sure that this family of trojans is not capable of (actively) attacking anti-virus software / adblocker addons. Judging from your information it seems more likely that Kaspersky was already damaged and this made the infection possible in the first place.

 

@Friend
I have cleared the browser history / antivirus reports and will read the article you suggested next. KIS has found no malware.
Thank you! 

Userlevel 7
Badge +6

@Steffen  what Trojan.Multi.BroSubsc.gen is capable of is described in detail here https://securelist.com/unwanted-notifications-in-browser/95060/

Userlevel 7
Badge +6

Hello  @Steffen,

You’re very welcome!

Thank you for replying and for the detailed information:clap_tone3:

Please let us know what Kaspersky Technical Support advise?

Thank you:pray_tone3:

 

@Steffen  what Trojan.Multi.BroSubsc.gen is capable of is described in detail here https://securelist.com/unwanted-notifications-in-browser/95060/

@Friend 

Thank you for the information. :slight_smile: Unfortunately I had only very little time the last days but I`m reading it now.

 

 

@FLOOD 

Thank you! I have checked the KIS settings and “Delete malicious tools, adware, auto-dialers and suspicious packagers” is enabled. I must admit never having used Privacy Cleaner Wizard before but I`ll give it a try. :slight_smile:

Please let us know what Kaspersky Technical Support advise?

Thank you:pray_tone3:

 

Of course, I have just contacted Kaspersky Technical Support and will post the information as soon as I receive a reply.

Userlevel 7
Badge +6

Hello @Steffen

Regarding the Privacy Wizard, before running, export Bookmarks for all Kaspersky supported browsers, then run the Wizard, select ALL recommended & highly recommended options, at the completion of the Wizard, reboot.  

Thank you:pray_tone3:

Reply / Ответить