it also appears to add a cookie named “lonly”
Hmm. We just updated to 3.3.2 on May 2nd. And the malware isn’t in the code before the update. I don’t know how/when it got in there. But it produces the almost the same JS as yours:
http://pastebin.com/574ym0sC
Found the malicious code. It’s in:
wp-includes/kses.php
very first line
Now how did it get there ?