Via Lorelle on WordPress (I’ve formatted some parts):
Take care when searching for WordPress that you do not end up on a fake WordPress site. Wordpresz.org looks like the WordPress site but isn’t.
This is just the first of what could be a run on fake sites that take advantage of your careless misspelling and spoofs the official WordPress site. Pay close attention and type out manually http://www.wordpress.org/ and double check the URL before downloading anything from the official WordPress sites.
If you upgraded WordPress to 2.6.4, you are running a fake version. There is no WordPress 2.6.4. The latest version is 2.6.3. The version of WordPress you download has malicious code in the download that opens a backdoor to your blog.
Automattic is looking at ways to keep users informed and warned, but pay attention to details. Just check first and know what you are downloading before risking your blog.