Cause of injection

It is also remarkable how the malicious JavaScript was injected in a static HTML page. There are two possible scenarios:

Scenario 1: automatic bot accessing the FTP service of the web server

The FTP credentials are stored on a PC in the browers, FileZilla or another FTP client where a virus is able to retrieve the stored credentials, but some viruses also sniff these credentials from the local network. The stolen credentials are sent to a dropbox on Internet where they are used to connect to the web server and append the malicious JavaScript to the web pages.

Several sources on the Internet confirm this behavior, for example the Gumblar virus http://www.phpbb.com/blog/2009/05/22/dealing-with-gumblar-and-martuz/

Scenario 2: virus infects local web pages on the PC

Another scenario is that the virus changes the local HTML/ASP/PHP pages and appends the malicious JavaScript locally. When the developer wants to update the site, using FTP or a VPN connection, the hacked pages will also be copied and put online. We have no idea under which name the virus is categorized.