The New York Times fessed up that they were having problems in This note on September 13th:
Some NYTimes.com readers have seen a pop-up box warning them about a virus and directing them to a site that claims to offer antivirus software. We believe this was generated by an unauthorized advertisement and are working to prevent the problem from recurring. If you see such a warning, we suggest that you not click on it. Instead, quit and restart your Web browser. Questions and comments can be sent to email@example.com.
A second NYT story today tells only SLIGHTLY more information:
http://bits.blogs.nytimes.com/2009/09/14/times-site-was-victim-of-a-malicious-ad-swap/?hpw, see also: http://gadgetwise.blogs.nytimes.com/2009/09/14/what-to-do-if-you-saw-an-antivirus-pop-up-ad/
Some of the domains involved included:
protection-check07.com which resolved to IP address 220.127.116.11. That IP was also used by:
These actually were shared across several IPs, including:
18.104.22.168 - Berlin, Germany, "your-server.de"
22.214.171.124 - Sweden, - "your-server.de"
126.96.36.199 - your-server.de
188.8.131.52 - Cyprus - Ricomm
184.108.40.206 - UK - Telos Solutions
220.127.116.11 - Netherlands - Ecatel
As I was not a first-hand witness, I'm going to wrap this up short as promised by pointing to a few other blogs: