Hosting accounts being compromised has been a common incident, however a sudden surge of this variant is quite alarming. This trojan does not target any particular software or script and is commonly exploited from a users computer where he usually FTP files to hosting accounts. The trojan scans for FTP usernames and passwords and use them to inject PHP scripts to the FTP server.

So far I have seen two variations, one being a slave for XSS attack and another as proxy or zombie perhaps for a DoS attack.

What to do or how do you know if you are infected? There is no simple prevention measure I can offer aside from asking you to scan and thoroughly clean your computer first. Download all your files from the ftp server, you can do PHP files only, however there is a probability a JS based file may exist as well. After downloading, scan all your files and reupload. Not too neat but it’s the only method that works for me.