A few people have posted over at Castle Cops about this site generating an alert from NOD 32, hXXp://www.doodling.org.uk/startups/bad_startupsall.htm.

You can see the talk at Castle Cops here (http://www.castlecops.com/t172915-Infective_trojan_at_startup_list_link.html). There's a link to a screen shot of the alert a few posts into the topic.

I've submitted the file to Eset using the internal submit for analysis in NOD 32. The alert is listed as a BAT/generic trojan, which sounds like a heuristic detection.

Thanks for looking into this.

Here is a screenshot.

Please also send a email to support @ eset.com with a link to this thread.

Cheers ;D

{QUOTE-> A few people have posted over at Castle Cops about this site generating an alert from NOD 32, hXXp://www.doodling.org.uk/startups/bad_startupsall.htm <-QUOTE}To narrow it down further....if one goes to the Index of /startups (http://www.doodling.org.uk/startups/) page....the only alpha\numeric on this end that burps with that same Nod alert is http://www.doodling.org.uk/startups/bad_startups_c.htm

It appears it does not like the description of the chart.vbs I-Worm.Gigger worm contained in the bad_startups_c.htm file.

Is it really considered a "false positive" when they put parts of the source code of a malicious script in a malware description?

well, I think not quite. As IC suggested once, it is usefull to post that code as a picture not text and so it will result in no FP. ;D