The better idea would be fingerprint the spam to match the bot used to match the exploit used to run the bot to then reverse exploit back to the exploited machine patching in the process. I managed to setup such a system a while ago with nimda traffic however I could not a find a software tool which exploited a nimda exploited machine which could then patch it and remove the virus (Ie a remote doctor without you knowing :)
Colin Johnston
