It's amazing we still have this issue given the November worm.
However, I believe the numbers that are posted for systems infected. I was surprised when I ran the utility for detecting the vulnerability and found an unsecured server controlled by our own DBA group! What made it worse was it was a SQL 2000 box (development) which meant the DBA who configured it manually selected that blank password. This was after another DBA went through and explained during a meeting of the DBA team the vulnerability, the worm, etc. The DBA in question has been corrected, but it goes to show that every system should be checked.
K. Brian Kelley
bkelley@sqlservercentral.com
http://qa.sqlservercentral.com/columnists/bkelley/
K. Brian Kelley
@kbriankelley