'Gumblar' and 'Martuz' infections

The FTP clients that store the saved login credentials in plain text are usually the ones hit first.

For instance:

1.CoffeeCup Direct FTP
2.TransSoft FTP Control 4
3.Core FTP
4.GlobalScape CuteFTP
5.Far Manager (with FTP plugin)
6.FileZilla
7.FlashFXP
8.SmartFTP
9.FTP Navigator
10.Total Commander

All save the stored login credentials in plain text making it easy for the virus to find and steal them. It then sends them to a server that logs into the website, downloads files, infects them then uploads them back to the website.

I've like Avast, but Antivir might work well too.

For those who think that simply not saving their credentials will protect them, think again. The virus works as a sniffer and a keyboard logger too. So any FTP connection, since it transmits all data in plain text, is easy pickin's for the virus.

As a complete line of defense, you can switch to WS_FTP which encrypts the login information and then also switch to SFTP, if your hosting provider supports it. SFTP encrypts the data stream so it can't be sniffed.

The server will also many times, upload various back doors to the website too. These backdoors will typically be .php files with a string like:

then a long list of characters. This will usually be inserted into the first line of a .php file before the legitimate <?php tag.

So it will actually look like:

These backdoors allow the hackers to re-infect the website after the FTP credentials have been changed and the virus removed.

Just thought you'd like to know...