[unisog] What are doc.bin files?

Steve VanDevender stevev at darkwing.uoregon.edu
Wed Jul 18 23:24:34 GMT 2001

Barbara Inzina writes:
 > People here are starting to get email attachments with file names that
 > end in "doc.bin".
 > They are having trouble reading them.  They appear to be Word documents,
 > but the ".bin" confuses some of the email client programs.
 > Surfing to find out what they are, we found at least one web site that
 > said:
 > "The file has been called guide.doc.bin to help ensure reliable download
 > using a web browser, but after downloading you should rename the file
 > guide.doc)"
 > Does anyone know what this is?   Was I asleep while a new technique for
 > encoding attachments was invented?

Many Microsoft Windows viruses/worms exploit the default behavior of
some common Windows applications to strip off the last extension on a
file when displaying a filename.  So a ".doc.bin" file would be shown as
".doc", but it would be handled internally as a ".bin" (executable?).
I'd be very suspicious of the attachment you describe.

We actually exploit this behavior to our advantage in a procmail virus
filter we use on our UNIX mail hosts, which adds ".txt" to the
attachment file name for some common executable content types used in
Windows viruses.

More information about the unisog mailing list