On a brief skim, it doesn't seem to do much besides spread itself. Am I missing something, or was it just for lulz? Or maybe a grey hat trying to prove a point?
It's really a question of how malicious the author was- if they set it up to download everything attached to the account as soon as it connected, it could still cause a lot of damage.
Even worst: The hacker could have taken a list of lets say the top 1000 banking (or any type of online service) websites accross the globe. The moment the hacker get access to your gmail account, he initiatite a password recovery request on each of those 1000 websites, get the password reset link from the email, reset the password, delete the email. he could now have access to any other online account you have that had its recovery email set to your gmail account.
Pretty much what you'd expect.
Edit: This isn't the full source code. There was another PHP file visible on their website that unfortunately isn't visible anymore.