Thanks Jerry, you answered my question. I didn't realize the worm was looking in other directories. To my above script, the following ammendments will catch all the worm attempts, eliminating db hits.
# Proc to log all requests to server.log for easier analysis
# probably not for use on heavy traffic sites.
proc all_and_everything {conn ignore} {
ns_log notice "[ns_conn peeraddr] [ns_conn request]"
return filter_ok
}
# New ns_register_filters:
ns_register_filter preauth GET /* all_and_everything
ns_register_filter preauth GET /*.exe nimda
ns_register_filter trace GET /*.exe nimda_breaktrace
# Note order of registration above is important!