Wednesday, 3. March 2004
PermaLink C.DTF is not (necessarily) a virus...
Loads of search engine hits here recently asking what to do about the mysterious C.DTF virus. Well, it probably isn't a virus at all.

Remember, mass mailing viruses propagate successfully by executing code on victims' systems. To do this, the worm must arrive as either an executable file type (i.e. a Win32 portable executable, though these are very often disguised as other "executable" types such as .pif and so on) or as some other type that the underlying OS knows how to handle (hence the recent popularity of .zip files containing Win32 portable executables). C.DTF meets neither of these criteria. DTF is neither a common executable type nor a file type commonly associated with any utility. So a virus would never deliberately be propagated as C.DTF. Which is not to say it could not happen...

  • C.DTF is usually just the raw MIME of an RFC822 message. It can be decoded as described here or you can simply save to the operating system as filename.eml and open it in Outlook Express or Netscape Mail.

  • Some viruses deliberately send MIME that may cause difficulty at the receiving MUA. This is generally done to exploit known loopholes in some MUAs. For example, there was a flaw in Outlook Express (long since fixed) that permitted the execution of arbitrary code when represented in a multipart/related message as being some other binary file type and with a content ID tag linking it to the text/html element of that same multipart/related message. The best known example is probably Klez.H.

    It is therefore at least conceivable that a C.DTF file may turn up bearing some viral payload, not because C.DTF is itself a known virus vector, but because the MIME used to deliver the virus is broken in some way and the receiving Domino MTA has rendered this broken MIME as C.DTF. I have never seen a sample though -- this is probably a rare phenomenon.

So, with C.DTF the quick way to get at the contents of the message is to save as .eml and open in Outlook Express. The safe way is to proceed as outlined in my earlier piece on C.DTF, using a suitable Base64 decoder and leaving any suspicious executable attachments undecoded...

Category: Notes
Technorati:

Comments :

1. Miky Lee23/09/2004 17:10:36


My antivirus has been catching a few of C4110146.DTF. Do you thinks this is not a virus?



2. Chris Linfoot24/09/2004 09:28:03


I think it probably is a virus in your case. Sort of.

DTF is useless as a virus vector because it is neither an executable type nor commonly associated with any utility (like .zip). But (read yesterday's story on malformed MIME), if the sender has chosen to use deliberately broken MIME in an attempt to bypass content checking, Domino shops will occasionally see .DTF files that, when decoded, contain viruses.

DTF files seem to be created by MIME to CD conversion at the inbound Domino server when that conversion cannot be completed for some reason and most commonly this is due to broken MIME.

A lot of broken MIME is caused by badly written commercial software, but increasingly MIME is broken deliberately by virus writers.

Expect to see more DTF files with malware content in future, but don't worry about them too much - they will usually be caught by server side AV software and unless a recipient knows how to decode them (which in my experience is unheard of) they are harmless anyway.



Unable to post a comment? Please read this for a possible explanation...
Add Manual Trackback
Please enter the details of the trackback post. Your trackback will not appear on the site until it has been verified. This won't be immediate, as trackbacks are validated on a scheduled basis. Be patient.











Search
Hot Categories
Domains
IPv6
Internet
Malware
Monthly Archive
2009
2008
2008
2008
2008
2008
Full Archive
Links
CircleID
Anti-Spam Tools
Misc Links
Land banking information
Contact Me
email - Chris Linfoot
Subscribe
Subscribe to articlesArticles

Subscribe to commentsComments