Stochastic activity networks (SANs) are a widely used formalism for describing complex systems that have random behavior. Sophisticated software tools exist for the modeling and analysis of systems described within a SAN framework. This paper presents a SAN model of a local area network's defense against Internet worm propagation, measuring the effectiveness of a defensive strategy based on removing hosts from the local network once an infection is detected. We consider the problem of deciding whether to allocate resources to remove an infected host (and thereby reduce the threat), or remove a susceptible but as-yet uninfected host, to directly save it from attack. Considering a parameterized range of policies that makes this decision based on the number of infections in the local network, we find marked preference for always removing one type of hosts when possible, over the other, regardless of the infection state. We futhermore see whether preference should be given to infected hosts or susceptible hosts depends on the relative speeds at which they are removed. Finally, we see that a worm attack can be effectively countered provided that the aggregate rate at which hosts can be removed is on the order of the aggregate infection rate at the time the defense is engaged. Our effort demonstrates the utility of using sophisticated modeling tools to study worm defense, and policy decisions surrounding it.