Another nasty came to my attention that also injects code into HTML pages.  Fortunately I wasn't hit by this one, it was submitted to me by someone else.

The code itself is more difficult to match as it is obfuscated (it isn't really encrypted), and the function names/variable names may be different each time.  To handle this, I modified the zief.pl script to use regular expressions to match, and then wrote an expression that will match the obfuscated malicious code.  While it is theoretically possible it could match other code, it is highly unlikely, and it would also be rather badly written code...

' Script written by David Barrett
' Copyright 2009
' http://www.cedit.biz/
' This script is licensed under the Creative Commons
' Attribution 2.5 Licence
' http://creativecommons.org/licenses/by/2.5/
' 
' You are free to use it for both personal and
' commercial purposes, so long as full attribution
' is given to the author (David Barrett).
'
' This notice must not be removed
'
'
' Fix ya1krevedko.com code injection
force_cscript

dim strSourceFolder, strLogFile, strSearchText


' ************************************************************
' THESE ARE THE ONLY  LINES THAT WILL NEED CHANGING
' ************************************************************
strSourceFolder="S:\contam" ' Change to the folder from which to start
strLogFile="S:\contam\log.txt" ' Change to full path/filename for log-file
arrExtensions=Array("htm","php", "asp", "html") ' Add/remove any file extensions to check


dim sRegExpSearch

' Define regular expression search - this must be specific
' enough that it is highly unlikely to match any valid script
sRegExpSearch="function \w*\(\w*\).*document\.write\(\w*\(\w*\)\);"

' Confirm the script parameters
dim sConfirm
sConfirm= "About to check and repair files starting from:" & chr(10) & chr(13) & strSourceFolder
sConfirm=strConfirm & chr(10) & chr(13) & "Log file: " & strLogFile
sConfirm=strConfirm & chr(10) & chr(13) & chr(10) & chr(13) & "Continue?"
if msgbox(sConfirm,4,"Confirm")6 then wscript.quit

dim objFSO, objF, objLog, objShell,dicExtensions

set objFSO=CreateObject("Scripting.FileSystemObject")
Set objShell = CreateObject("WScript.Shell")
set dicExtensions = CreateObject("Scripting.Dictionary")

dim i
for i=0 to UBound(arrExtensions)
    dicExtensions.Add arrExtensions(i),arrExtensions(i)
next

set objLog=objFSO.CreateTextFile(strLogFile,1)
set objF=objFSO.GetFolder(strSourceFolder)
RecursiveScan objF
objLog.Close
set objLog=Nothing
set objF=Nothing
set objFSO=Nothing
set objShell=Nothing

sub RecursiveScan(objFolder)
    ' Runs command if file is found in folder
    dim objFile, objSubFolder
    dim strRunCmd, objExecObject
    dim strExt, strFileName
    
    on error resume next
    For each objFile in objFolder.Files
        strExt=Mid(objFile.Name, InStrRev(objFile.Name, ".")+1)
        if dicExtensions.Exists(strExt) then
            ' This is a file to check
            CheckFile objFile
        end if
    next

    for each objSubFolder in objFolder.SubFolders
        RecursiveScan objSubFolder
    next
end sub

sub CheckFile(oFile)
    dim oTS, sFile
    dim oReg, cMatches, oMatch
    dim iStart, iLen, sFilename
    dim bContaminated
    
    bContaminated=false
    set oTS=oFile.OpenAsTextStream(1)
    sFile=oTS.ReadAll
    oTS.Close
    if err.number=0 then
        ' Check file contents for offending code
        wscript.echo "Checking " & oFile.Name
        set oReg=CreateObject("VBScript.RegExp")
        oReg.IgnoreCase=true
        oReg.Global=false
        oReg.Pattern=sRegExpSearch
        set cMatches=oReg.Execute(sFile)
        for each oMatch in cMatches
            iStart=InStr(1,sFile,oMatch.Value)
            iLen=Len(oMatch.Value)
            sFile=Left(sFile, iStart-1) & Mid(sFile, iStart+iLen)
            bContaminated=true
        next
        if bContaminated then
            sFilename=oFile.Path
            oFile.Delete true
            set objTS=objFSO.CreateTextFile(sFileName,true)
            objTS.Write sFile
            objTS.Close
            objLog.WriteLine "Contaminated file: " & sFilename
            wscript.echo  "Contaminated file: " & sFilename
        end if
    else
        Err.Clear
    end if
end sub

sub force_cscript
    dim args : args=""
    dim i, wshshell
    If right(lCase(wscript.fullname),11)= "wscript.exe" then
        for i=0 to wscript.arguments.count-1
            args = args & wscript.arguments(i) & " "
        next
        set wshshell=createobject("wscript.shell")
        wshshell.run wshshell.ExpandEnvironmentStrings("%comspec%") & _
            " /c cscript.exe //nologo """ & wscript.scriptfullname & """" & args
        set wshshell=nothing
        wscript.quit
    end if
end sub