Targeted Internet Explorer Zero-Day Attack Announced (CVE-2010-0806)

Earlier today, Microsoft released Security Advisory (981374). This advisory covers CVE-2010-0806, an unpatched vulnerability affecting Internet Explorer versions 6 and 7. This attack appears to be rather targeted at the moment, but as with other unpatched vulnerabilities in the past, this has the potential to explode now that the word is getting out.
McAfee Labs is aware of an attack emanating from the domain topix21century.com (over both http and https). In this attack, vulnerable users are directed to a malicious webpage that downloads and executes a file named notes.exe or svohost.exe (classified as BackDoor-EMN) in drive-by download fashion (visiting the page is enough to get infected). There are multiple variants of this trojan involved. Notes.exe creates two copies of itself in the %temp% directory, and drops a DLL file. This DLL file is injected into Internet Explorer and provides remote access to an attacker.
The backdoor allows an attacker to perform various functions on the compromised system, including uploading & downloading files, executing files, and terminating running processes. Infected systems may attempt to communicate with the domain notes.topix21century.com over https.
File names related to this attack include:

20100307.htm (CVE-2010-0806 exploit)
bypasskav.txt (part of exploit obfuscation code)

notes.exe (backdoor installer)

note.exe (backdoor installer copy)
clipsvc.exe (backdoor installer copy)

wshipl.dll (backdoor)

rsvm.exe (backdoor installer)

wshipnotes.dll (backdoor)

Preliminary product coverage is as follows:

McAfee DAT files (antivirus): Coverage will be provided for known exploits as Exploit-CVE-2010-0806 and known payloads as BackDoor-EMN in the 5916 DAT (continue reading...)