"Five days ago, we wrote about the infection of several hundred
websites that was unlike anything seasoned researchers had seen before.
Mary Landesman, a cyber gumshoe who first brought it to public
attention, asked for help from other security pros in figuring out how
the unusual new technique worked. And help is what many of her peers
have provided.
The sites host malicious javascript that is spontaneously
created and randomly named only after a visitor hits the home page.
That's unlike any other mass infection most researchers have seen
before. Usually, infected sites merely host pointers to
attacker-controlled servers, which in turn are used to host malware
with static file names.
The innovative technique is much more than an academic
curiosity. Because the rogue code does not exist on any server until an
end user visits it, the javascript remains invisible to site
administrators. The randomness also prevents most antivirus programs
from detecting the javascript. Equally frustrating, it prevents
researchers from running a simple web search that ferrets out every web
address where the attack code is hosted."
Article Link: http://www.theregister.co.uk/2008/01/17/0day_excel_bug_menace