Hello!
It's not javascript based actualy, it's certainly a php code, and one well-integrated into the wp functionality, so it's definitely written specifically for wordpress targets.
And it's not an infestation (chng/additions) of existing php code, but most probably something you won't be able to immediately identify as being malicious, so no wonder the anti-virus program did not do any good, it has to be done by a human going through, and examining the code, manually, no automated means would be of help to rid this off.
Regards,
Dobri