PKZip Trojan



Although this trojan horse at one time existed, there has been no reported infection or destruction caused by it since late 1995. The rumor of its existence, however, has been quickly spreading through Internet mail from the time it was first discovered. This trojan horse program, although it did exist at one time, is now more a rumor or hoax than an actual threat to the public. It has caused more damage and concern through its rumored existence than by direct action of the program itself. For those interested, here is a summary of how the original strain functioned. Again, it is not currently considered in distribution and is not considered a threat to the public.

3b Trojan is a Trojan Horse program that claims to be the latest version of PKZIP, Version 3.0g, from PKWARE Inc.
3b Trojan was first received by the Symantec AntiVirus Research Center in late July 1995. The definition (fingerprint) was integrated into the August 1995 virus definition set and has been part of every update since that initial release.
3b Trojan is not a virus.

Trojan Horse programs do not replicate and spread themselves. Instead, they masquerade as legitimate programs, in this case, as a new release of PKZIP. Users download these programs, thinking them beneficial, and run them. For the event, or trigger, to take place, users must manually download these files and consciously run them.

The vast majority of Trojan Horse programs are written with a destructive intention. 3b Trojan has been distributed under the following names: (a) PKZ300B.EXE (b) PKZ300B.ZIP (c) PKZIP300.EXE (d) PKZIP300.ZIP The triggered event is to format the hard drive. The "self-extracting" versions of the executable (.EXE) files for 3b Trojan (.EXE) and the "PKZIP" program within it have this trigger. There have also been reports that 3b Trojan "affects modems of 1.44 and higher." These accounts are incorrect: 3b Trojan has no such capability.As of November 1996, only the following releases of DOS PKZIP program are valid: (a) 1.10 (b) 1.93 (c) 2.04c (d) 2.04e (e) 2.0
4g In response to 3b Trojan, PKWARE Inc. has issued the following statement:
     !!! PKZIP Trojan Horse Version - (Originally Posted May 1995) !!!
    It has come to the attention of PKWARE that a fake version of PKZIP is being
    distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an offical version from
    PKWARE and it will attempt to erase your hard drive if run. It attempts to
    perform a deletion of all the directories of your current drive. If you have
    any information as to the creators of this trojan horse, PKWARE would be
    extremely interested to hear from you. If you have any other questions about
    this fake version, please e-mail support@pkware.com



The contents of all pages [and other material] on our site are copyright Martin Overton 1997-2007, or other stated author. All rights are reserved.
Reproduction, transfer, distribution or storage of part, or all of the contents in any form without the prior written permission of Martin Overton or the Copyright owner is prohibited.