Researchers at the Laboratory of Cryptography and System Security (CrySyS) — the group that initially discovered the original Duqu binaries — has located an installer for the malware. The installer file is a malicious Microsoft Word document that exploits a previously-unknown kernel vulnerability that allows code execution.
Once the Word file is opened, the malware executes and installs the Duqu binaries.
The revelation that Duqu uses a zero-day is yet another similarity with Stuxnet, the notorious worm discovered in 2010 targeting industrial control systems. In the case of Stuxnet, the attackers used four Microsoft zero-days to infect systems.
Microsoft has been notified and is working on a fix.