This javascript footer is only part of the problem. Nobody knows how "they" got to the IIS servers in the first place. I fear there's a 0-day flooting around that exploits IIS5.
What we DON'T know, and can use some help in figuring out, is how the malware is installed on the IIS server to begin with. Is there a zero-day floating around? Is it via a known vulnerability and the use of agent.exe as mentioned above? (Ed Skodis, one of our handlers, suggested that perhaps the IIS system admin used a local copy of IE to browse a site and pulled down hostile JavaScript. Does that jive with anybody's findings?)

Our concern is that there might be an IIS zero-day floating around. We won't list the sites that are reported to be infected in order to prevent further abuse, but the list is long and includes businesses that we presume would normally be keeping their sites fully patched.
Source http://isc.sans.org/diary.php?date=2004-06-24

Edit: I posted this before I had a chance to read DjM's post here