I would more suspect a code injection via a plugin’s vulnerability; there have been a few of those lately. I don’t think it is a virus; just someone that exploited an unpatched vulnerability.
You don’t specify whether the site has been updated (WP, plugins, themes) or the PHP version; this would be useful information.
To clean, I would upload fresh/clean versions of all theme and plugin code (deleting those plugin/theme folder’s contents first), then upload a fresh WP (everything except your wp-config.php).
I’d also look at your htaccess files, and any custom Child Themes, for any inserted/invalid code. A good database backup is a good idea; and an inspection of the wp-contents table for inserted or modified post records.
And, of course, strong passwords everywhere (WP, database, hosting, FTP); an admin user that is not called ‘admin’ (and not user #1), and strong passwords on all admin-level accounts.