http://www.symantec.com/connect/blogs/trojanmilicenso-infection-through-htaccess-redirection
Trojan.Milicenso: Infection through .htaccess Redirection
Due to additional research of the Trojan.Milicenso threat (a.k.a "Printer Bomb"), we have determined that the threat is downloaded by an .htaccess redirection Web attack and that at least 4,000 websites have been compromised by the gang responsible for the threat.
Note: There is no redirection if the user visits the website from a bookmark or by pasting the URL into the browser address field.
The attacker changes the domain name often in order to prevent it from being blocked or blacklisted. In 2010 and 2011, the gang moved to a new domain every few months. But in 2012, they changed domains almost every day.