Threat Explorer

The Threat Explorer is a comprehensive resource consumers can turn to for daily, accurate, up-to-date information on the latest threats, risks and vulnerabilities.

3b Trojan

3b Trojan

13 February 2007
Also Known As:
PKZip Trojan, PKZ300B.ZIP

Although this Trojan horse at one time existed, there has been no reported infection or destruction caused by it since late 1995. The rumor of its existence, however, has been quickly spreading through Internet mail from the time it was first discovered. This Trojan horse program, although it did exist at one time, is now more a rumor or hoax than an actual threat to the public. It has caused more damage and concern through its rumored existence than by direct action of the program itself.

For those interested, here is a summary of how the original strain functioned. Again, it is not currently considered in distribution and is not considered a threat to the public.

3b Trojan is a Trojan Horse program that claims to be the latest version of PKZIP, Version 3.0g, from PKWARE Inc. 3b Trojan was first received by the Symantec AntiVirus Research Center in late July 1995. The definition (fingerprint) was integrated into the August 1995 virus definition set and has been part of every update since that initial release.

3b Trojan is not a virus. Trojan Horse programs do not replicate and spread themselves. Instead, they masquerade as legitimate programs, in this case, as a new release of PKZIP. Users download these programs, thinking them beneficial, and run them. For the event, or trigger, to take place, users must manually download these files and consciously run them. The vast majority of Trojan Horse programs are written with a destructive intention.

3b Trojan has been distributed under the following names:
  • PKZ300B.EXE
  • PKZ300B.ZIP
  • PKZIP300.EXE
  • PKZIP300.ZIP

The triggered event is to format the hard drive. The "self-extracting" versions of the executable (.EXE) files for 3b Trojan (.EXE) and the "PKZIP" program within it have this trigger. There have also been reports that 3b Trojan "affects modems of 1.44 and higher." These accounts are incorrect: 3b Trojan has no such capability.

As of November 1996, only the following releases of DOS PKZIP program are valid:
  • 1.10
  • 1.93
  • 2.04c
  • 2.04e
  • 2.04g

In response to 3b Trojan, PKWARE Inc. has issued the following statement:

It has come to the attention of PKWARE that a fake version of PKZIP is being distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an official version from PKWARE and it will attempt to erase your hard drive if run. It attempts to perform a deletion of all the directories of your current drive. If you have any information as to the creators of this Trojan horse, PKWARE would be extremely interested to hear from you. If you have any other questions about this fake version, please email .

You can download PKZIP 2.04g from the PKWARE Web site.Please ignore any messages regarding this hoax and do not pass on messages. Passing on messages about the hoax only serves to further propagate it.