Avast does not detect JS/iFrame.cti here....

See: hxtp://vscan.urlvoid.com/analysis/6de0918546ab04350c83ab152a575a51/aW5kZXg=/
and htxps://www.virustotal.com/file/6bc7cb20bd5347240c24dc5302ca4928818dfaabd88b3d1cc1f905cc167b84c7/analysis/
site scan: htxps://www.virustotal.com/url/5551a6f591241ea2e0830e41a1a44c472ef272ad3c84389c7a35a62ddccd1c8d/analysis/1330008685/
ip source = frame src='htxp://grbmulcq.ddns.info/stds/go.php?s see for this XSS attack code, also seen at pastebin on on Febr. 23rd, 2012:
htxp://jsunpack.jeek.org/?report=c7e0d95c89373d438f272cd1d6b77c5bdf54848b [visit last mentioned link only if security savvy,
with ample script protection and sandboxed],

reported to virus AT avast dot com, for webmasters a Malware Script Attack Fix for this is available here:
http://www.php-beginners.com/solve-wordpress-malware-script-attack-fix.html (link post author = paolo)

polonus

Hi forum friends,

It seems a lot of domains at dimenoc dot com, 67.23.226.35, have been abused and got infected like akhilgopinath dot com, kurampala dot com, londonexpresscar dot com, prismazure dot com, vanquishleather dot com. This now seems an ongoing malware campaign. Not only dimenoc dot com, also bluehost dot com was abused (74.220.207.139) with themiixx dot com. These webpages are reported by Unmasked Parasites, see for instance: http://www.UnmaskParasites.com/security-report/?page=kurampala.com

This is how sucuri flags this malcode, see for instance here: http://sitecheck.sucuri.net/results/http://www.themiixx.com/

this virus is very good at hiding from the current AV that is running
every PHP, HTML and JS file can get compromised by this malware
- quotes taken from description on this sucuri malware entry.

Hopefully the avast shield could be made to flag this, For users of Wordpress this link: http://www.malfarmed.com/blog/step-by-step-wordpress-malware-removal/ (blog link article by james)

polonus