I am using EnCase to analyse data stored in a flash memory. I found the following files
which are described as deleted, overwritten
_DGIYGU.exe
_IDEIECT.com
_KUGB3.bat
_UTORUN.inf
After checking, I found out that they are viruses
ADGIYGU.exe
NIDEIECT.com
UGB3.bat
AUTORUN.inf
when I bookmarked them, they are represented as "File Group" in the bookmark folder,
but unlike other files, they all have the same name which is a name of a video file in the
same flash memory. I also found a file named "Test", which is represented as "Notable
File" and its name refers to another file name.
My questions are
1- Is "Test" a virus ?
2- In there current status, are these viruses ineffective and can't be active in any way?
3- Is there any relation between these viruses to perform specific tasks?
4- What is the relation between these viruses and the files which they share the same
name?
> 1- Is "Test" a virus ?
How is one supposed to determine if this is a virus based on its filename alone?
> 2- In there current status, are these viruses ineffective and can't be active
> in any way?
You said that when you originally found the files, they were deleted/overwritten…logically, it would appear that they were not active.
> 3- Is there any relation between these viruses to perform specific tasks?
How were you able to determine that they were viruses? Considering the "how" might help answer your question.
> 4- What is the relation between these viruses and the files which they
> share the same name?
Again, you've really given no indication of how you determined that these were viruses, or even the contents of the files themselves.
I don't really understand the question, it sounds like you might be misunderstanding overwritten files and their bookmarking in EnCase as you'll have bookmarked the overwriting data, not what you clicked on…
These files are deleted, so there names are changed in the FAT table by replacing the first character. Then, I searched the web for these names with their extensions and found the same file names with their real first characters with some information indicating that they are viruses. If you google "DGIYGU.exe" you will find information about "ADGIYGU.exe" and so on, try it.
Yes Rich I think you are right. Although I was bookmarking these deleted files, the bookmark folder indicates only the name of the files overwriting them.
If the references are pointing to other files then the data is either completely removed or partially. In either case the virus wold not be active.