This seems to vary as anonymousfox is finding the vulnerability and then running a script to affect the site. The most common thing we have seen are code injections that redirect the site from Google searh result lists to a Chinese site. This is quite tricky because the site owner who navigates straight to the site does not detect anything. Most other variants we have seen perform the same sly modifications style.
Cleanup is relatively simple and can usually be done with a bulk malware scan and clean. However it seems the hack has also changed the php umask in an effort to prevent people upgrading plugins to patch vulnerabilities.
More to come…