The exploit is launched when a user clicks on a malicious link in an e-mail or web page. Internet Explorer launches a pop-up window with an “iframe” tag, which is commonly used to display text or interactive features in a floating window. The code tricks the browser into thinking the iframe contains a help file from the user’s hard drive, while downloading a javascript that can then run with local privileges. The javascript then launches a remote php file, which in turn downloads a trojan to the user’s hard drive. A complete analysis of the exploit and how it works can be found here.
Some security professionals called the new hack an example of a “zero-day exploit,” in which a working attack is published at the same time a vulnerability is discovered. The existence of a published exploit puts pressure on Microsoft to quickly come up with a patch for all IE users. Early reports suggest the key security holes may be patched in Windows XP Service Pack 2, which is now in beta.