This malicious JavaScript may be downloaded unknowingly by a user when visiting a certain malicious Web site. It may also be hosted on a malicious Web site.
This is Trend Micro's detection for Web pages that were compromised through the insertion of a certain iFrame tag.
The malicious portion of this script is encrypted to hide its iFrame code.

Once an unsuspecting user visits an affected Web page, this malicious JavaScript connects to the Web page http://{BLOCKED}tuffdeals.com/docs/theme.htm to download another script which also contains an iFrame exploit. Trend Micro detects the said script as HTML_IFRAME.CX. As a result, malicious routines of the downloaded script are exhibited on the affected system.

This worm may be dropped or downloaded from remote sites by other malware.
It sends copies of itself to target recipients via the instant messaging application MSN Messenger.
It joins IRC channels and executes commands from a remote malicious user, effectively compromising system security.