This sample exploit page will attempt to write the file Windrv.hta to [Windows Directory]\start menu\programs\startup\
If you run another language of windows, just create the dir and click refresh...
After executing this file, the files S. and BABE.JPG will be created, and BABE.JPG will be executed (shown)
This page was created using EXE2HTML without encoding, cuz this encoding gave some problems with certain windoze versions, but wtf.
The exploit fails when an ActiveX message pops up and alerts the user, however I can imagine that some windows users might even press <OK> then ;-)
The exploit off course also fails when the activex control isn't there or has been deleted (smart :-)