Description
A common way to distribute Trojan horses and other
damaging software is to package it as a new version of a
popular shareware package and put it up for download,
hoping that users of the program will retrieve and run
it. Due to its popularity, the shareware archiver and
compression program PKZip has been a frequent target.
The most recent Trojan version of PKZip occurred in 1995.
In May of that year, PKWare warned that a fake version of
PKZip was being distributed. The Trojan was contained in
a self-extracting archive named PKZ300B.EXE, claiming to
be a new version of the program.
The self-extracting archive program itself was harmless.
Inside it contained a feeble attempt at duplicating the
files of a legitimate PKZip release, and a program,
PKZINST.EXE, which was a Trojan. If run, it attempted to
format the C: drive and then delete all the files on C:.
Due to bugs in the code, these damaging effects did not
actually work.
In order to reduce confusion, PKWare decided to never
release a version with this number. If you ever see a
file claiming to be PKZip version 3.0.0b, it is not
genuine.
While the warning about the Trojanised PKZip is genuine
(although the program is not actually dangerous, due to
flaws), the hysteria that followed was completely out of
proportion to the danger.
Sophos, and most other anti-virus vendors, have never been
contacted by anyone claiming to have suffered from this
Trojan. We have, however, been contacted by numerous
people worried about the warning, which was spread far and
wide, and appears to resurface every so often.
To summarise: PKZ300B.EXE, while a real trojan, wasn't
much of a danger when it was new news, and now it is no
danger at all.