We generally don't write signatures these types of worms because they mutate so fast. However, 4.0 sensors should catch infected hosts with signature 3320 "SMB: ADMIN$ hidden share access attempt". This is a 4.0 only signature. You would see an infected host as the source for many of these alarms. Because the worm tries to bruteforce passwords, signature 6255 "SMB Authorization Failure" may also fire.