Heapspray method writes moreWhile you were making your post I was editing mine . I read somewhere that the worm uses the heapspray method. But, I think that remote heapspray may be a challenge for some anti-exploits.
times a shellcode in the memory of a running process.
But then DEP "should" block the execution of malicious code in the memory according to my experience.