rocknbil - 3:54 pm on Aug 27, 2010 (gmt 0)
JK, this would be good to know if you have documentation, do you have any sources? I agree with 1 and 2, don't know about 3 - I'm guessing it's a local computer, no mother ship involved. But changing the passwords as suggested below might solve it in both cases since they can't contact E.T. :-)
i wouldnt be so quick to blame wordpress.
Agreed, although most of these I've seen with WP and tinyMCE, I don't know that it's specifically the cause. It usually turns out being the webmaster in question has contracted the virus on their local computer - not the server - and is the source of the propagation.
Recent sighting #1 [webmasterworld.com]
Recent sighting #2 [webmasterworld.com]
I've cleansed these before, it's usually just files, then change **all** passwords before updating anything.
First check your database. If there are malicious patterns in the database content, this is something else and a result of XSS (Cross Site Scripting) or blind mySQL injection (not likely, WP seems pretty tight in that regard, unless these are old versions.)
Re-check your AVG, re-scan your drive, make sure you're clean, than change all passwords - FTP, Cpanels, WP logins, everything. Now re-upload and it should stay gone.