Gumblar.cn was the first domain discovered that was creating and managing the Gumblar attack. Gumblar.cn has now been closed down, as has the next in line, but it is thought that the virus makers have a whole host of domains and servers to utilise. Once Gumblar has infected a webserver, the website on that server becomes a carrier, and spreads the virus to new computers. To put simply, Gumblar steals FTP passwords from web designers and site managers, then uses them to connect to website servers, and edit .html .php and .js pages. It targets index files as well as creating files in image directories, and even modifies webalizer and awstats files given the chance. These are likely to be the backdoors.