The files are modified over ftp. I checked it on our servers ftp log. All of them, only index files, were accessed by the same IP located in the Republic of Moldova. That IP could be the from the attacker or a zombie infected PC controlled from another country.
The moment one of those index files is visited they upload a randomly named php (bush.php,thai.php,nba.php) file with the viral charge to the same location.
Our theory is that we have a local windows trojan that is catching our ftp passwords. Some of the PCs have been formatted today by paranoid teammates. We have to check 3 more Windows PCs that are away from the office, they are offline until we can have them on Tuesday. We haven't found the trojan but may have been in one of the formatted PCs or in the other 3 that we have to check.
I advise you to stop serving the webs until they are cleaned, changing all of your ftp passwords at least, check your DB passwords too if you have any local Mysql client. Our software with ftp access was Total Commander, Filezilla and PSPad, for mysql it was HeidiSql.
If you have ssh access I can provide you with some commands to do a fast search and cleaning index files and to delete uploaded php files.