It's disgusting that Microsoft dumbed things down and hides extensions by default and has done so since Windows 9x. You can enable that function by clicking on Computer, or This Computer these days, then clicking on Options and then the View tab.
In among the list of things is to enable show extensions and also to unhide system folders. Unhiding the folders makes it easier to find the Trainz data folder if it's located in the default location.
The cdp file doesn't self-extract. The Trainz program is what executes the function to extract the archive. Technically, this should prevent a virus from installing because Trainz reads the file header rather than the extension. This is why we've seen messages such as invalid archive when a cdp is corrupted.
What can occur, however, is files that are infected within the cdp file. At one time, there was malware that targeted jpg files and other common image types. When the asset is opened, the malware is executed wreaking havoc on the system.
The only defense we have is to scan our systems for malware. While it's recommended to turn off real-time scanning of our Trainz folders and program, having real-time scanning enabled for other folders as well as regularly running a malware scan can go pretty far in preventing infections on computer systems.