There's now nine different worms or bots using the week-old Plug-and-Play vulnerability. Most of the recent problems are caused by a worm we call Zotob.D and a two bots we call Ircbot.es and Ircbot.et.
The main scenario remains the same: these things will only infect you via the MS05-039 vulnerability if you're running Windows 2000 with port 445/TCP open - and you haven't installed last weeks patches. Or you have installed the patches but haven't rebooted.
The big organizations that are getting hit right now have most likely introduced the infection to the internal network via infected laptops.