Masquerading as another extension is one of the oldest tricks in the malware book. It's not that someone "adds" a virus to a CDP file, but that someone targeting Trainzers could make a totally different file - such as a self-executing program - look like a CDP.
Especially in this day and age it...