Constructor.Win32.Downldr.ek in newly downloaded Microsoft file

[eli]

Hi:

 

I found the Constructor.Win32.Downldr.ek  virus in a MS file I had lying around in My Documents. Zone Alarm Security Suite 7.0.483.000 picked it up on a scheduled scan.

 

The file is named: WindowsXP-KB838079-SupportTools-ENU.exe

 

and can be downloaded from:

 

http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-ba8011fabf38&DisplayLang=en

 

After it was quarantined, I tried downloading it again as a fresh copy from the MS download link above. It too showed the:

 

Constructor.Win32.Downldr.ek 

 

virus.

 

I submitted the newly downloaded file to www.virustotal.com

 

It showed that both Kaspersky and  F-Secure detect that same virus. F-Prot shows it to be a damaged file. The other 33 engines found nothing wrong in this file

 

I'm puzzled by these findings.

 

Could it be that Microsoft has an infected and/or damaged file on its download site?

 

Or is this a false positive?

 

Thanks in advance:

 

-Eli

================

 

Windows XP Profesional Edition SP3

Zone Alarm Security Suite 7.0.483.000

 

[David H. Lipman]

From: "eli" <som...@somebody.com>

| http://www.microsoft.com/downloads/details.aspx?FamilyID=49ae8576-9bb9-4126-9761-
| ba8011fabf38&DisplayLang=en

| Constructor.Win32.Downldr.ek

| virus.

| Thanks in advance:

| -Eli
| ================

WindowsXP-KB838079-SupportTools-ENU.exe is a self extracting archive file.

It consists of three .CAB files and a Microsft Installer, .MSI file.

The False Positive declaration was in; support.cab

These are file from the Windows NT Resource Kit.

I did not track down the specific file in the CAB file but it is a False Positive
declaration.

BTW: F-Secure did NOT detect anything in my test.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp