Sophos are now identifying my earlier post about WordPresz 2.6.4 as Troj/WPHack-A.
Further information can be found at the Sophos web-site, The Register and over at ZDNet (Fake WordPress site distributing backdoored release)
UPDATE: Watch a short (less than 60 seconds) video demonstrating the dashboard hijack.