The purpose of this attack, as near as I can tell, is to serve up the W32/Kuluoz malware from compromised sites.
The attack comes in stages:
1. Launch a brute-force password-guessing attack on Joomla and Wordpress sites;
2. Deposit a malicious backdoor script on the hacked site;
3. Install a file, nowadays usually but not always named "main.php" (earlier versions of the attack used different script names) on the compromised sites. On WordPress sites, it may be installed on the root level of the site, in the /images folder, or in a folder called /img; on Joomla sites, it is often placed at the root level of the site or in the /components directory;
4. Send out spam emails directing marks to the location of the main.php script, usually disguised as DHL or Fedex notifications.
The main.php script is interesting. It checks the browser's user agent when a visitor arrives, and some variants appear to check the IP address against a blacklist as well.
If it sees a vulnerable Windows user agent string, it downloads the W32/Kuluoz malware using a number of different drive-by download exploits.
If it doesn't see a vulnerable user agent string (or if the IP address is blacklisted), early versions presented a phony 404 error page. This error page was generated by the script and looked different from the site's true 404 error page.
More recent versions of the script, which I've seen in the past few weeks, do an internal redirect to a real 404 error page, making them more difficult to detect.
I've written extensively about this attack and the apparent link between the WP/Joomla brute-force hacking and the Kuluoz malware downloaders on my blog:
http://tacit.livejournal.com/580719.html
The attack has been tweaked and modified several times--the earliest versions tried to dupe marks with spam emails pretending to be airline flight confirmations, for instance. It has also scaled rapidly as the attacks on weak WP and Joomla passwords has scaled. In some cases, I have seen ISPs remove the malware script, only to see it reappear a few days later--suggesting that either the passwords haven't been changed or the backdoor scripts are still on the compromised servers.