So, until the WordPress people get back to me on what, exactly, this hack does, and how, exactly, to beat it permanently (I'm pretty sure I have it licked, but am feeling skittish), I recommend that if you have read the blog at all in April, you delete all your browser cookies.
I'm probably being overly cautious. However, I found what I suspect is the hack payload file in one of my backups. And a reading of the code showed a function named "read_visitors()". I'm not enough of a php expert to tell exactly what it does. But other portions of the hack messed about with cookies. So wearing my ultra-paranoid hat, I say, toss those cookies.
Did I mention I was pissed off? There's a domain name that ends in ".cn" that I'd like to toast right now.