I’m sitting in a tech talk from Vern Paxson about the witty worm, and he’s just described how they could determine the state of the random number generator on infected machines when it sent probes to possible victims. Which gives you the uptime of the infected host, and they can see the distance between random numbers in the sequence, which means they can calculate the speed of the network link of infected machines, because they know the time distance between repeated probe attempts and how many packets were sent in between.
They can also determine the number of disks plugged into the infected machine, because a bug in the worm only re-seeded the random number generator when it trashed a disk block on the machine. It can only do that if that randomly selected disk exists.
The talk is being taped, so other people will be able to see it in a week or two.