Virus Writers do something clever

Traditionally HTTP exploits have been rather mild. When an exploit site is set up and spammed to millions it can quickly be taken off line. Its also relatively easy to add to a block list such as the one provided via Websense.
The Bofra worm acts as a sort of HTTP worm. When it infects a system it harvests email addresses then sets up an HTTP server on a random port. (Although one write up of one variant I saw mentioned TCP 1639). The recipients of the email trusting enough to follow unsolicited links from random people are taken to the exploit website on the infected machine.
Because each new infected machine is a potential infecter it is much more difficult to handle than traditional HTTP viruses. The other bad news is the Iframe Internet Explorer exploit isn’t going to be stopped by antivirus since the exploit occurs without writing a file to disk.
The good news is that proper egress filtering can prevent this sort of activity. The bad news is the masses aren’t sitting behind a firewall( personal or otherwise). Particularly one with outbound filtering.