Virus Busters Home

Information about the PKZ300B.EXE Trojan Horse Program

by Bruce P. Burrell
bpb@umich.edu
virus-busters@umich.edu

Update (11/14/96):
The PKZ300B.EXE file is sometimes referred to as PKZ300.EXE, PKZIP3.EXE, or PKZIP300.ZIP, etc. The text below still applies.

17 April 1996

This information can be freely reproduced in any medium, as long as the information is unmodified.

  1. PKZ300B.EXE *does* exist, and is harmful if executed. It is reputed to overwrite a lot of data on hard drives.

  2. This is not a virus; it is a Trojan Horse. While that probably won't matter to someone who loses data because of it, PKZ300B.EXE won't spread except by explicit transfer.

  3. PKWare is not responsible for this piece of malware, that is, it's not their release of a buggy product. The most recent release is version 2.04G. To the best of my knowledge, the author of PKZ300B.EXE is unknown.

  4. See http://www.pkware.com/fake.html for an official statement from PKWare. Checking home pages like this one or contacting company support staff via email or phone, or through a BBS, are good ways to verify or discredit such reports. See also (8) below for our web address, where we try to maintain such reports. Finally, you may want to read the Computer Incident Advisory Capability (CIAC) Bulletin Number 95-10 at the http://ciac.llnl.gov/ciac/notes/Notes10.shtml URL.

  5. This is old news; I first heard rumor of it June 2 '95 and read this confirmation on Usenet (included with the author's permission): 
    > From: parker@pharmacy.hsci.umn.edu (Patrick B. Parker)
> Subject: Re: Virus in PKZ300B?
> Date: Thu, 8 Jun 1995 15:26:22 GMT
> Lines: 26
> 
> Well, this is what I've come up with.
> 
> >Dear PKWare Support Folks,
> >Can you please verify the authenticity of this report?  I am sure
> >others besides myself would like to be sure before notifying tens of
> >thousands of users of a potential hazard.
> >
> >Please copy the list techc-all@mail.unet.umn.edu in your reply.
> >
> >Thanks for your time,
> 
> It is confirmed. PKZ300B.ZIP/EXE is a trojan version.
> 
> Mark Gresbach
> ---
> PKWARE Inc.              Creators of PKZIP, PKLITE, PKZMENU,
> 9025 N. Deerwood Drive               StupenDOS, PKZFIND, etc
> Brown Deer, WI 53223         Anonymous ftp site - pkware.com
> Tel: 414-354-8699     Fax: 414-354-8559    BBS: 414-354-8670

    [Mr. Parker displays excellent troubleshooting skills here; this is a case study in how second-level tech support should handle such an incident. Mr. Parker's current email address is pparker@fore.com ]

  6. I announced this to the PC AntiVirus Update (PCAVU) group after confirming its accuracy (6/19/95; in F-PROT 2.18a announcement).

    (University of Michigan faculty, staff and students may join this X.500 mailgroup or its Macintosh equivalent (MACAVU) by using maX.500, waX.500, or ud on the UMCE Login Service. Those who have problems doing this or who aren't members of the U-M community may join the list by sending email to pcavu@umich.edu or macavu@umich.edu with text requesting that a specified email address be added to the appropriate group.)

  7. I have heard of not a single incidence of this Trojan, but I've seen enough brouhaha about it to put it into the "Good Times" hoax category. The only difference is that, apparently, it does exist.

  8. On our home page (http://www.umich.edu/~virus-busters/) we attempt to keep up-to-date information about viruses, Trojans, and hoaxes. Please check there before reacting to unconfirmed reports. If you find no information about the report, please do contact us (virus.bust ers@umich.edu). If the report is substantiated, we'll send e-mail to the groups mentioned above and put information on our home page as soon as we can.

  9. I'm plenty annoyed about this, but not at anyone who sends me such messages. I appreciate notification about such things, though I try to keep my ear to the tracks, and I particularly value having folks contact me first before spreading possibly false alarms.

  10. It's sad that journalism has degraded to the point where some editors no longer check sources. The company is well known; they have email, a BBS, and a web page. Even so, an article appeared 3/26/96 on at least one web site advertizing this "new" threat. I just adore having a new headache. (Grrrrrrrr)

Virus Busters Home

Last updated: Wednesday, 02-Jan-2002 19:00:54 EST.
University of Michigan Virus Busters - virus.busters@umich.edu

visits to this page since the counter was installed on 1 March 2001 01:20 EST; this page has existed since 4/17/96.