jk3210 - 3:34 pm on Aug 27, 2010 (gmt 0)

This is what usually happens...

1.) A trojan gets in your LOCAL machine.

2.) This trojan scraps your FTP client for login userID/password info and sends it to the mothership.

3.) The mothership uses the scraped login info to upload a base64-encoded javascript iframe to certain pages of all your WP sites that are listed in your FTP client, usually the index.php page.


The reason this virus is so insidious is that webmasters try to attack the problem by first removing the javascript from the WP sites, but this will only fix the problem temporarily because the WP sites keep getting re-infected. Remember, the mothership has your login info.

The REAL problem is on the LOCAL machine. Clean the LOCAL machine first, then change all passwords to your WP sites.

THEN remove the iframe javascript from the WP sites.