Hello there,
very good catch indeed.
This is how things are:
1. I checked always all files and distributions with my antivirus: Avira Antivir and no problems where ever found.
2. When using AVG it finds the virus you mention in the file ...\packages\acs-templating\www\resources\xinha-nightly\plugins\QuickTag\tag-lib.js (of course it finds it also in the .exe file, because the .exe file - the installer - contains the above mentioned .js file).
3. I checked that file (tag-lib.js) against the orginal distributions (OpenACS 5.6.0) and (.LRN 2.5.0). There's no difference among the files contained in the original tar files and the ones in my distribution. For example if you download OpenACS 5.6.0, untar it and scan it with your anti virus, you'll get the same problem notification.
4. Now the file tag-lib.js is in an encrypted form and I can't really tell if it is infected or not. I would think it is not. If it is, also the OpenACS and .LRN distributions need to be cleaned/amended.
Hope it helps,
Maurizio
PS: we all live in a world with timezones and where people usually have a job to do (to pay for some fun time in the Open Source area...) I believe I reacted to your observations even quicker and faster than a normal company (with a properly paid support contract) would ever do...