The attack typically invades a site with a catalogue or other large text files stored on a SQL Server database. As a site visitor clicks on a Web site's button or link for more information, such as "more information" from a catalogue, the database is activated to send a JavaScript plant onto the user's computer.

But there's been no evidence of the attacker following through to activate the code placements on user computers. The plants take advantage of a widely publicized Windows vulnerability, listed as the MS06-014 exploit by the Internet Storm Center, a site sponsored by the SANS Institute for quick identification of threats on the Internet.

Neray said attackers use such an approach when they are lining up many computers around the Web with which to stage a denial of service attack or other automated action against a particular Web site. He said it's also possible the attacker was merely illustrating his ability to penetrate database systems and reach many user's computers. Unlike worms and viruses, the attack is aimed at Web site databases, which are then used to launch user intrusions on a massive scale. As such, it illustrates

The Windows exploit that attack takes advantage of has been known since September 2006 and many user's computers are likely to be protected from it by updates to their Windows operating system. In his Jan. 5 blog, Thompson said the attack on Web sites showed that the attackers "went to the trouble of preparing a good website exploit, and a good mass-hack, but then used a moldy old client exploit. It's almost a dichotomy." That is, if the successful Web site database attack had been followed up with a sophisticated Windows client attack, the intruder might still be spreading across the Internet.

John Gormly, a blogger at myITforum.com Inc., commented Jan. 6: "Part of security software vendor CA's website was hacked last week and was redirecting visitors to a malicious website hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center."

Google and Yahoo's cached pages from Web site databases may still contain the JavaScript, untouched by site efforts to clean it up, the experts warned.