A quick Googl$ for the ardoshanghai.com/s.js string appears to show the majority of sites hosting that particular form of the hostile code for this exploit serving .asp?*** or .aspx?*** urls. I'm guessing this indicates they are serving from IIS of some description, which would probably indicate compromise through unpatched holes there (or automated SQL injection, perhaps).

Could it be that Korean domains dominate because as I understand it the current trojan delivered through this hole is installing game password stealers, and those .kr peeps are probably the most lucrative market for 'hot' virtual property?

Flames because quite a lot of people are going to be burned by this one over the holiday season...