Ummmm... thats kinda outta order don't you think? Usually vulnerabilities get discovered and thats when patches usually come out. The malware usually comes out a few days... if not week later afterwards when peaple start to study it, it become well known, & then peaple give the source code to exploits for the vulnerabilities so someone can C&P it into worms and things.

I have very rarely (if ever) seen worms and trojans exploit vulnerabilities before a patch has been made.