Mediawiki worm

Something's running around pwning either Mediawiki sites (symbianwiki.com in this instance) or PHP in general and inserting a 1x1 IFRAME before the !DOCTYPE header in each response; the browser exploit is hosted on a site that's been taken offline, but I'm assuming it's yet another attack against the trillions of Windows boxes that still haven't been patched with six months ago's patch cluster.

I'm not sure if it's a known attack or not, so am doing a brief writeup for ISC now. I'm from the government, and I'm here to help you.