is it even possible for a worm with dcom vuln?

["wirepair" <wirepair () roguemail net>]

After the release of the few exploits which take advantage of the dcom / rpc vulnerability I began thinking to myself how this 
could 
possibly be turned into a worm. The exploits that have already been written use hard coded offsets for the different sp's/os's. So 
this would not work for a worm template. Also it requires a few requests so this would not be a very fast worm in theory. Also 
after 
the service is exploited the service fails. I could see a few issues with a 'universal offset' for a jmp esp/call esp or any other 
way
 to get the worm instructions to begin executing. The vast differences in operating systems could make the threat of this being a 
worm
 smaller in my mind. With the IIS worms (code red) they had it easy because the service would just restart itself, and is only 
attacking one particular version with the same base addresses. So I guess what I'm asking is, is it even feasible to write a worm 
for
 this particular vulnerability? I would imagine the worm would need to be pretty advanced in finding the correct offsets prior to 
exploitation, without crashing svchost.exe. Now I am in no way down playing the threat of this vulnerability and I find it to 
probably 
be the largest thing to ever hit windows. I just want to hear other peoples thoughts on this subject. Or a worm could attack a 
single 
operating system/sp but that wouldn't be nearly as damaging as a worm that could attack all versions of windows (nt4-win2k3) and 
sp's.
 
Any thoughts?
-wire
--
Visit Things From Another World for the best
comics, movies, toys, collectibles and more.
http://www.tfaw.com/?qt=wmf