I was particularly interested by a post titled "On Oracle worms" that makes an interesting point about the feeling in the community of Oracle users that a worm will not work because the database is usually behind a firewall. Whilst there are no where as near as many Oracle databases exposed to the net as SQL Server / MSDE for instance, it does not mean that there are not exposed databases out there.
The new Oracle Express should change that viewpoint. I am also interested by Davids comments that the extproc flaw would be an ideal vector for a worm and it could be called remotely and also methods exist for replication. Whilst it would be possible to do this from inside the database a more scripted approach might suit. As David points out lets hope that his comment does not end up being a self fulfilling prophecy.