What is the purpose/function of ".ßßß" files?

171

While trying to copy the contents of a 16GB usb drive, I got a warning that there was not enough free space. Checking the properties of the folder tree on the usb drive, I found a large number of ".ßßß" files that claim to be around 3.5GB each, for a total of approximately 908GB (which I don't think could be possible on a 16GB drive).

Obviously there is something going on here, but I cannot find any reference to this file type online.

When I try to delete these files, they request administrator permission (which I provide). However, they then throw a "File Access Denied" error and state that I require permission from the adminsitrator...

Does anyone know what the purpose of these files are, and how to remove them?

Arne

Posted 2018-08-01T17:58:18.540

Reputation: 1 200

17This looks like malware, possibly using USB spreading technologies or obfuscation of file content/names to destroy data. It's definitely nothing normal or expected. The filesize also only appears to be this big. – confetti – 2018-08-01T18:04:39.970

69I think your drive, or at least the filesystem on it, might be toast. – Ignacio Vazquez-Abrams – 2018-08-01T18:07:17.600

8That... looks like FS corruption. Try running chkdsk or Repair-Volume on the drive? – bwDraco – 2018-08-02T05:43:39.790

4Is this drive from China? They used to change FW to report bigger size than real. If end was reached, writing begin on start, thus overriding FS. – JIV – 2018-08-02T12:02:51.233

@JIV Link or it didn't happen. – Mr Lister – 2018-08-04T15:04:46.493

@MrLister Among many blog posts and articles (0 1 2) there are two mentions by Andrew Huang (of Xbox jailbreaking fame) in pages 151-152 and 292-293 of his book "The Hardware Hacker", one of the chapters where he analyzes all kinds of counterfeit electronic parts.

– user1686 – 2018-08-04T15:38:01.003

2What's the file system? NTFS or FAT? – Thomas Weller – 2018-08-05T12:48:56.927

FYI - a fun, semi-related, thread, "Pseudo English looking characters used in Windows 10 Insider Preview"

– BruceWayne – 2018-08-06T21:09:12.377

Answers

443

Most likely these aren't actual files but the result of filesystem corruption.

It is normally not possible to have multiple identically named files.
Their names (ßßßßßßßß.ßßß) correspond to hexadecimal bytes E1 E1 E1… in code page 437 (which was the default MS-DOS code page, and therefore the default FAT/FAT32 code page when long file names aren't in use).
(The character is not the Greek beta but the German lowercase sharp S. The dot isn't actually stored in the FAT, but added by the OS when reading, so it doesn't get corrupted.)
Their sizes are close to 3 789 677 025 bytes, which is again 0xE1 E1 E1 E1 in hex.
(That's approximately 3 700 856.469 kilobytes; Windows probably rounds up.)

All signs point to part of your filesystem's master file table being filled with the byte 0xE1, which may be caused by software (such as unplugging mid-write), but may also indicate that the flash memory itself is dying.

Software-induced corruption can often be cleaned up by using Windows' disk error checking (chkdsk). Or just reformat the drive (after copying your real files out of it).

But especially for cheaper and/or heavily-used drives, bad flash memory is very likely. Don't use this drive for important files anymore.

user1686

Posted 2018-08-01T17:58:18.540

Reputation: 283 655

48Your theory seems solid, based on the recurring theme of the E1 byte. I've since formatted the drive and all appears well... but I will likely not be using this drive for mission-critical purposes anymore. Thanks for the insight! – Arne – 2018-08-01T18:27:48.183

10E1 = 1110 0001 - This means that it is a misaligned sequence of 4 bits sets and 4 bits cleared repeated over and over. – Victor Stafusa – 2018-08-06T21:09:48.977

4Actually, in CP437, character 225 is both sharp S and Greek beta. – IllidanS4 wants Monica back – 2018-08-07T10:32:37.343

@IllidanS4: Since Windows only deals with Unicode filenames (automatically converting CP437 to Unicode when reading the FAT), and Unicode chooses to map 0xE1 to U+00DF ("LATIN SMALL LETTER SHARP S"), that's unambiguously what all Windows programs display, regardless of the original dual definition.

– user1686 – 2018-09-09T13:25:54.893