Notice the replace call after the giant messy string: .replace(/#|\$|@|\^|&|\(|\)|\!/ig, '').

It removes most of the special characters, turning it into a normal URL:


(I manually changed http: to evil:)

Note that the regex could have been simplified to .replace(/[#$@^&()!]/ig, '')

If you look at the script, you'll see that it's a very simple script that injects a hidden IFRAME containing the path /index.php?ys from the same domain.

I requested that page in Fiddler, and it had no content.