Nod32 v3 detects this below page as virus: hxxp://www.sausage.co.uk/software/perfectdisk/about.html
Win32/Allaple.Gen worm

It does not like the OBJECT code contained in the beginning of the html file.

197225

"about[1].htm" from jotti's scan:

~Online scan results removed per Policy (http://www.wilderssecurity.com/showthread.php?t=180057)~

when "about[1].txt" nod32 detects nothing, but when rename to "about[1].htm" nod32 detects as Win32/Allaple.Gen worm.

-{ Quote: "Nod32 v3 detects this below page as virus: hxxp://www.sausage.co.uk/software/perfectdisk/about.html
Win32/Allaple.Gen worm" }-

The link doesn't seem to work now.

-{ Quote: "The link doesn't seem to work now." }-The link is still active but if one clicks on the link in the first post above it will not go anywhere since it was altered yesterday by Ronjor to prevent accidental clicking. The Object code mentioned above is also still active on the page this AM.

Maybe it was a server glitch as I'm positive I used "http://... ". Anyway, we have analysed the html code and it really seems to contain Allaple's code.

So it is not an FP then?

Should this code (worm) also be detected by NOD2.7 and when using Firefox? I visited the same page and NOD didn't give a warning...

Both FireFox and Internet Explorer trigger the alarm over here.
Edit: So does Opera.

i don't know if they did earlier, but more now detect this threat inc Kaspersky, Microsoft, AntiVir and McAfee, so looking less and less likely that it is an FP.

It is not a FP. The only reason I asked was that Marcos said it SEEMS to contain Allaple code, not it DOES, so I just wanted some clarification. Other vendors are adding it as well now.

-{ Quote: "Other vendors are adding it as well now." }-True and since I am not a qualified analyzer, I'd still be curious to know what they are keying on if not the Object ID code :-\

As mentioned above and as shown in the pic, the Object html code is what appears to be the trigger. In fact if one were to upload the below as an html file to Jotti\VT, same results are found, even with legit flash and media player clsid's.

<HTML>
<OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:D27CDB6E-AE6D-11cf-96B8-444553540000"></OBJECT>

<OBJECT type="application/x-oleobject"CLASSID="CLSID:6BF52A52-394A-11D3-B153-00C04F79FAA6 "></OBJECT>
</HTML>

According to the analysis report I got, the CLASSIDs are randomly generated each time the trojan is executed which adds to the difficulty in detecting it of course.