All the domains run on a distributed botnet and were freshly registered this morning to a no-doubt fake address:
whois -h whois.crsnic.net win496.com ...There are probably several different payloads, one we have seen is the Danmec trojan which drops a file called aspimgr.exe into the SYSTEM32 folder (more details here, here and here). The payload delivery may be randomised, it seems to be quite difficult to determine exactly what is going on.
Redirecting to DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM
whois -h whois.PublicDomainRegistry.com win496.com ...
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291
Domain Name: WIN496.COM
Registrant:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672
Creation Date: 04-Jun-2008
Expiration Date: 04-Jun-2009
Domain servers in listed order:
ns4.win496.com
ns3.win496.com
ns2.win496.com
ns1.win496.com
Administrative Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672
Technical Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672
Billing Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672
Status:ACTIVE
If your server has been infected, then you need to do more than just clean it up.. you need to sanitize your SQL inputs. You can read more details of how SQL injections works here.
Right now it is difficult to say how many sites are impacted as the domains are really very new.
Added: you can add sysid72.com/b.js to this list too. That was registered 5 days ago, and a Google search already shows over 2000 hits. Also locale48.com has infected over 4000 pages in the same time frame.