That's a nice way to do it. I had toyed around with redirecting requests like that to some type of questionable content (think goatse), but unfortunately I don't think either way would have the desired effect (I imagine the worm just parses the reply for a status code rather than rendering any of the content (not nearly as fun
)).
In fact, you have to be carefull on how you handle malicious code, as the tools are often written by people who can't code for crap. I once used mod_rewrite to send 403s back to anyone trying to use the "OPTIONS" request method and it turned out that the damn automated scanners would hang and instead of getting a single entry with a 200 status code, I would get several hundred (doh!).
