Office.Microsoft.Com: NOD32 Catching HTML/ScrInject.B.Gen virus

Looks like the MS office site has been compromised.

 

I have been receiving several alerts relating to Microsoft Office Help as well. I can't tell if you are being sarcastic or not, but I am going to guess that it is a sensitivity issue in a recent update. Both the Real-time and HTTP Scanner are picking them up.


ClientSectionID = 16777475
DateReceived = Oct 28 2011
DateOccurred = Oct 28 2011
ScannerReportedID = 16843009
LogLevel = 2684420097
Object = file
Name = C:\Documents and Settings\username\Local Settings\Temporary Internet Files\Content.IE5\3J1R2G92\hfws[1].aspx
Virus = HTML/ScrInject.B.Gen virus
ActionTaken = unable to clean
Info = Event occurred during an attempt to access the file by the application: C:\Program Files\Microsoft Office\OFFICE11\1033\MSOHELP.EXE.
Details = N
ScannerReportedName = Real-time file system protection


ClientSectionID = 16777475
DateReceived = Oct 28 2011
DateOccurred = Oct 28 2011
ScannerReportedID = 16974336
LogLevel = 1073807362
Object = file
Name = http://office.microsoft.com/en-us/support/??CTT=6&Origin=EC010227221033
Virus = HTML/ScrInject.B.Gen virus
ActionTaken = connection terminated - quarantined Info = Threat was detected upon access to web by the application: C:\Program Files\Internet Explorer\iexplore.exe.
Details = N
ScannerReportedName = HTTP filter

 

Myself and another user (rcash, at least) have both contacted ESET and they recognize it's a false positive and have said it will be fixed in the next defs.

 

As it's been mentioned, this is a false positive that is going to be fixed in update 6584 that is being prepared right now and will be available shortly. Also we've taken measures to prevent other users from downloading the erroneous update.

 

Wasn't being sarcastic. Just thought that the Office site had really been compromised, which wouldn't surprise me at all.

So a false positive huh? At least NOD32 wasn't detecting itself as a virus.

 

Yes, it was an unfortunate detection due to a very complex Java script (142 kB in size).

 

A prior post | findings of mine perhaps there is something could be of use to ESET.

 

Hello there,

Just joined the forum after finding on Google.

I am being blocked by ESET for a website called -midiox.com-

Could you say if this is also a false positive please.

Thanks

Mike

 

Hi Mike

The best way reporting to ESET is to follow these instructions: http://kb.eset.com/esetkb/index?page=content&id=SOLN141&ref=wsf

 

Many thanks

Mike

 

You're very welcome