The "malicious" code at the end of the advisory looks like nothing more than a beacon announcing it was installed?
edit:
get current working directory
get username
get hostname
concatenate the last 3 together
obfuscate(/encrypt?) this string
send the result as a http request to 121.42.217.44 (the value of the base64 string)
