~DF***.tmp Files

Discussion in 'other security issues & news' started by SystemJunkie, Oct 12, 2008.

Thread Status:
Not open for further replies.
  1. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    I used search function but found no link to this known topic. The old story of omnipresent ~DF***.tmp files in temporary folder on NT/XP/Vista OS.
    I think it could be useful to create a little sum up topic about because many people search the web for these files in relation to security issues and security related questions or problems.

    If you enter DF in google you will likely stumble first over DeltaForce. Usually AVs don´t flag these files but they contain interesting coded informations. Virscan e.g. denominates them as microsoft office files but many don´t use ms office and the files are still present. Sometimes they are also flagged as multistream ole components. People speculate if they are part of firewalls or antivirus engines but this isn´t always the case imho. If you analyze them and do some forensics you always find some similar char chains in it like: GIF89a, GIF, RUE, AV as well as CIA, SPI, OSY, SMI. To view these strings clearly you need to configure a good filter system or use a hex editor. Sometimes these ~DF´s are a locked handle of svchost.exe, they vary in size 80, 112, 304 kb e.g... later more.
     
    Last edited: Oct 12, 2008
  2. teg1

    teg1 Registered Member

    Joined:
    May 18, 2006
    Posts:
    10
    For years I have wondered what these files could be--if anyone could shed light,very interested.
     
  3. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    @yall

    ~DF****.tmp stuff

    I'm not using an AV or MS Office. Maybe it is connected to a new stealth keylogger technique using ctfmon and activeX controls built into Windows. I also have increasing amounts of .bin files in the same folder. I wonder if they sandbox the bios?
     
  4. Eh_Greg

    Eh_Greg Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    64
    Location:
    US.
    Nice find. I was wondering about those...
     
  5. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Hey,

    Seems like some trojans use the ~DF moniker as well. You can always VT'em. I found a link to bontok trojan that uses ~DF at sophos. One of my scans came up possible bontok aka patched.bl.
    A double ext file showed 1 hit at VT for a game stealer trojan, alot of chinese connections in google results for both.

    Some one I know is heavy into Chinese RPG. I get emails from them. I don't play any online games. Good thing I've got Returnil.
     
  6. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    Very very good thought!
    I once saw ~DF as a handle in cpf.exe (comodo), the header looks indeed like a office file.
    Imho it also could be a fragment of ram (if apps crashes or improperly shut down)
    which makes this file just more interesting in terms of finding potential hidden informations and/or stealth communications.
     
  7. SystemJunkie

    SystemJunkie Resident Conspiracy Theorist

    Joined:
    Mar 3, 2006
    Posts:
    1,500
    Location:
    Germany
    News related to ~df*** temp files:
    ATools and ZoneAlarm create them by default no wonder that several security freaks have them on their systems.
     
  8. teg1

    teg1 Registered Member

    Joined:
    May 18, 2006
    Posts:
    10
    Thank you, --i appreciate your wisdom
     
Loading...
Thread Status:
Not open for further replies.