Part of what I’ve been doing lately is finding, running, and maintaining bots in a controlled environment. The first part, finding, which includes identifying the binaries I’m running, turns out to be difficult to do.
Through a few “special” techniques, I come up some new binaries that produce spam. For example, the binary with MD5 f03077adfdedc55b9ae906be897f2cc0. It runs, connects a C&C, has a obfuscated C&C protocol, and ends up sending spam. So what is it? Virus Total says: 
What does that mean? Well, in my opinion, it means that none of the AV signatures have a clue, they just say it’s probably bad stuff. This binary happens to be a installer for a newer version of Rustock, which I can verify by watching it run. I have several thousand binaries that I’ve acquired using the same technique as this one, most of which also have useless AV labels.
Why is that? Malware distribution is complicated. There’s a lot of steps, intermediate binaries, packers, crypto, etc… What happens is that somewhere along the line of installation, the AV signature matched and then labeled other things according to the same signature. I see this a lot with generic droppers, the bot binaries that are run become labeled with Virut (a old school generic dropper), or Harnig (another generic dropper), both of which can drop any number and type of malware binaries. In some experiments, I’ve seen over 15 different binaries be downloaded and executed by a single dropper, and this behavior changes on subsequent executions.