~DF***.tmp Files

I used search function but found no link to this known topic. The old story of omnipresent ~DF***.tmp files in temporary folder on NT/XP/Vista OS.
I think it could be useful to create a little sum up topic about because many people search the web for these files in relation to security issues and security related questions or problems.

If you enter DF in google you will likely stumble first over DeltaForce. Usually AVs don´t flag these files but they contain interesting coded informations. Virscan e.g. denominates them as microsoft office files but many don´t use ms office and the files are still present. Sometimes they are also flagged as multistream ole components. People speculate if they are part of firewalls or antivirus engines but this isn´t always the case imho. If you analyze them and do some forensics you always find some similar char chains in it like: GIF89a, GIF, RUE, AV as well as CIA, SPI, OSY, SMI. To view these strings clearly you need to configure a good filter system or use a hex editor. Sometimes these ~DF´s are a locked handle of svchost.exe, they vary in size 80, 112, 304 kb e.g... later more.

 

For years I have wondered what these files could be--if anyone could shed light,very interested.

 

@yall

~DF****.tmp stuff

I'm not using an AV or MS Office. Maybe it is connected to a new stealth keylogger technique using ctfmon and activeX controls built into Windows. I also have increasing amounts of .bin files in the same folder. I wonder if they sandbox the bios?

 

Nice find. I was wondering about those...

 

Hey,

Seems like some trojans use the ~DF moniker as well. You can always VT'em. I found a link to bontok trojan that uses ~DF at sophos. One of my scans came up possible bontok aka patched.bl.
A double ext file showed 1 hit at VT for a game stealer trojan, alot of chinese connections in google results for both.

Some one I know is heavy into Chinese RPG. I get emails from them. I don't play any online games. Good thing I've got Returnil.

 

Very very good thought!
I once saw ~DF as a handle in cpf.exe (comodo), the header looks indeed like a office file.
Imho it also could be a fragment of ram (if apps crashes or improperly shut down)
which makes this file just more interesting in terms of finding potential hidden informations and/or stealth communications.

 

News related to ~df*** temp files:
ATools and ZoneAlarm create them by default no wonder that several security freaks have them on their systems.

 

Thank you, --i appreciate your wisdom