The AFU and Urban Legend Archive Science pkzip hoax Select a topic - - - - - - - - Home Searches AFU FAQ - - - - - - - - AFU Animals Books Celebrities Classic Collegiate Death Disney Drugs Food GIF Language Legal Medical Misc Movies Politics Products Religion Science Sex Songs TV - - - - - - - - Other sites

From: arthurg@is.co.za (Arthur Goldstuck)
Newsgroups: alt.folklore.urban
Subject: PKZIP300: The facts/FAQ
Date: Mon, 21 Oct 1996 18:32:18 GMT

PKZIP300: The facts/FAQ, October 21, 1996

Some time ago I mentioned that the PKZIP300.EXE virus scare might be an urban legend, as I had never seen it "in the wild" as the anti-virus community terms it, nor heard of anyone who had actually been hit by it. Brian Merkel then confirmed he had been hit by it, although it was called PKZIP305.EXE. His experience was that the program appeared to be PKZIP, and behaved just like it, for three weeks before it bombed his hard drive and informed him he had been hit by PKZIP305.EXE.
For some, this will not be convincing in itself, especially since the official warning is of PKZIP300.EXE (posted at the PKWARE site in May 1995). I went in search of anti-virus professionals and had the good fortune to meet Mikko Hypponen, International Support Manager for the Finnish anti-virus package F-Prot Professional. These are the facts(/FAQ), as outlined by him:
1. The PKZIP300 virus warning as well as the virus itself is real, although the spread of warnings across the Internet is equivalent to the spread of the Good Times virus warnings in that it has evolved into a chain letter.
2. The danger from PKZIP300.EXE no longer exists. 3. "It's a trojan horse, which pretends to be new version of PKZIP." 4. Officially, it has been reported only once, in California in late 1994. The anti-virus community received "one single report of the file being found in only one BBS - someone's hard drive got trashed, the file was removed from the BBS and sent to McAfee, and thats it". It was never reported "in the wild" again. 5. There could be several versions of it, based on the original, so it is possible that people could see files like PKZIP305.EXE 6. The original PKZIP300.EXE virus is difficult to find, "even among collectors. It's very rare."
So the question now arises, how did the warning suddenly invade the Internet, more than a year after it was officially posted, and long after the danger was gone? (See? I told you this would be a FAQ.) 7. Mikko Hypponen answers:
"I think some clueless newbie got onto the Net, went to the PKWARE site, read the old warning, and decided it was very important for everyone to know about it, and sent it out, without a date. Others started passing it around, and it became the usual chain letter storyy after that."
How sure are you it's not waiting to zap me? 8. Hypponen: "I can state categorically that PKZIP 300 is not in the wild."
If you have anything substantive to add to this little history, write to me at arthurg@is.co.za, but please don't post the warning or variations of it to me, or to anyone else for that matter. We all have enough of them arriving in our mailboxes unsolicited.

Arthur "for my next trick, the real Good Times virus" Goldstuck

(No, really.)