Today I came across a nasty little booger. It’s added to the wp-includes/swfobject.js file and they used the wp-includes/tempate-loader.php to load it.
I did noticed from another message board that it has been around for at least a few weeks, but apparently people are just now discovering it in mass modes. A google search revealed hundreds of people looking for answers on how to deal with this. My suggestion – wipe your server of all files and restore from a known good backup. If you don’t have that, then head on over to Scurit.com – let the pros deal with it.