Updated: February 13, 2007 11:50:19 AM
Also Known As: PKZip Trojan, PKZ300B.ZIP
Type: Hoax



Antivirus Protection Dates

  • Initial Rapid Release version December 21, 2000
  • Latest Rapid Release version August 08, 2016 revision 023
  • Initial Daily Certified version December 21, 2000
  • Latest Daily Certified version August 09, 2016 revision 001

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Updated: February 13, 2007 11:50:19 AM
Also Known As: PKZip Trojan, PKZ300B.ZIP
Type: Hoax


Although this Trojan horse at one time existed, there has been no reported infection or destruction caused by it since late 1995. The rumor of its existence, however, has been quickly spreading through Internet mail from the time it was first discovered. This Trojan horse program, although it did exist at one time, is now more a rumor or hoax than an actual threat to the public. It has caused more damage and concern through its rumored existence than by direct action of the program itself.

For those interested, here is a summary of how the original strain functioned. Again, it is not currently considered in distribution and is not considered a threat to the public.

3b Trojan is a Trojan Horse program that claims to be the latest version of PKZIP, Version 3.0g, from PKWARE Inc. 3b Trojan was first received by the Symantec AntiVirus Research Center in late July 1995. The definition (fingerprint) was integrated into the August 1995 virus definition set and has been part of every update since that initial release.

3b Trojan is not a virus. Trojan Horse programs do not replicate and spread themselves. Instead, they masquerade as legitimate programs, in this case, as a new release of PKZIP. Users download these programs, thinking them beneficial, and run them. For the event, or trigger, to take place, users must manually download these files and consciously run them. The vast majority of Trojan Horse programs are written with a destructive intention.

3b Trojan has been distributed under the following names:

  • PKZ300B.EXE
  • PKZ300B.ZIP
  • PKZIP300.EXE
  • PKZIP300.ZIP

The triggered event is to format the hard drive. The "self-extracting" versions of the executable (.EXE) files for 3b Trojan (.EXE) and the "PKZIP" program within it have this trigger. There have also been reports that 3b Trojan "affects modems of 1.44 and higher." These accounts are incorrect: 3b Trojan has no such capability.

As of November 1996, only the following releases of DOS PKZIP program are valid:
  • 1.10
  • 1.93
  • 2.04c
  • 2.04e
  • 2.04g

In response to 3b Trojan, PKWARE Inc. has issued the following statement:

It has come to the attention of PKWARE that a fake version of PKZIP is being distributed as PKZ300B.ZIP or PKZ300.ZIP. It is not an official version from PKWARE and it will attempt to erase your hard drive if run. It attempts to perform a deletion of all the directories of your current drive. If you have any information as to the creators of this Trojan horse, PKWARE would be extremely interested to hear from you. If you have any other questions about this fake version, please email support@pkware.com .

You can download PKZIP 2.04g from the PKWARE Web site.Please ignore any messages regarding this hoax and do not pass on messages. Passing on messages about the hoax only serves to further propagate it.