Is there a way (on a ASA/PIX specifically) to block the outbound connections made by this worm so that you can contain the traffic to the local network and also log the hosts that are infected?
I can't say specifically how you go about firewall rules and that particular equipment, but we have an inbound ACL on our gateway cisco router that blocks incoming TCP connections on port 445, which this worm uses to try and talk to vulnerable windows boxes, AFAIK.
On our 7505 that handles our customer's DSL connections, we have an outbound rule that blocks 445. It only has 53 matches after months without a counter reset.
The ACL on our border router shows tremendous amounts of matched packets. I can't recall exactly how long ago these counters were reset, I believe around a month to a month and a half:
deny tcp any any eq 445 syn (11118380 matches)
permit ip any any (358140948 matches)
That's about 3% of incoming packets. Non-scientfic, sure, but it's certainly more than a little blip on the radar. Bastards.
In the time it took to preview and edit my post, the count went up to 11118552. That took about a minute.