Microsoft has posted a security warning (Microsoft Security Advisory 972890) for those using Windows XP and Windows Server 2003 which states that:
"Microsoft is investigating a privately reported vulnerability in Microsoft Video ActiveX Control. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention."
"We are aware of attacks attempting to exploit the vulnerability. "
A user with the vulnerability just needs to visit a web site containing malware to exploit the security hole to become infected. Thousands of web sites have reportedly already been hacked to host the malware.
You can read more about it here and here. There is a fix posted here.