When a user browses to a compromised site, the injected JavaScript loads a file named 1.js. The JavaScript code then redirects the user to 1.htm. Once loaded, the file attempts 8 different exploits. The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at this time.
The number of sites affected is in the hundreds of thousands and include UK government sites and a United Nations Web site. Casualties of the previous attack included various U.S. news Web sites, a major Israeli shopping portal, and numerous travel sites.