In a lot of the malware that comes across ISC, the author leave in some kind of signature or message. This week, we have received report of a botnet malware with reference to SANS (hidden in the code), the message is similar to the following,

You better f##k off SANS.org especially that Johannes Ullrich (jullrich@XXX, XXX-XXX-XXXX) and Kevin Hong (khong@XXX.kr, +XX-X-XX-XXX). I really don't have anything against you, just p##s off alright?

The author of the malware also registered 'sans-security.org' (now defunct)

The binary is a Vanbot variant.  At the time of writing, Virustotal has the following to say about the malware.

Antivirus	Version	Update	Result
AntiVir	7.3.1.38	02.22.2007	BDS/VanBot.AY.6
Authentium	4.93.8	02.23.2007	W32/Trojan.YAZ
Avast	4.7.936.0	02.22.2007	no virus found
AVG	386	02.23.2007	BackDoor.Generic5.CLH
BitDefender	7.2	02.23.2007	no virus found
CAT-QuickHeal	9.00	02.22.2007	Backdoor.VanBot.ay
ClamAV	devel-20060426	02.22.2007	no virus found
DrWeb	4.33	02.23.2007	BackDoor.IRC.Sdbot.1125
eSafe	7.0.14.0	02.23.2007	Win32.VanBot.ay
eTrust-Vet	30.4.3423	02.23.2007	Win32/Nirbot.K
Ewido	4.0	02.22.2007	Backdoor.IRCBot.aab
FileAdvisor	1	02.23.2007	no virus found
Fortinet	2.85.0.0	02.23.2007	W32/SDBot.H!worm
F-Prot	4.3.1.45	02.22.2007	W32/Trojan.YAZ
F-Secure	6.70.13030.0	02.23.2007	Backdoor.Win32.VanBot.ay
Ikarus	T3.1.0.31	02.22.2007	Backdoor.Win32.VanBot.ay
Kaspersky	4.0.2.24	02.23.2007	Backdoor.Win32.VanBot.ay
McAfee	4969	02.22.2007	W32/Sdbot.worm.gen.h
Microsoft	1.2204	02.23.2007	no virus found
NOD32v2	2076	02.22.2007	Win32/Vanbot.AY
Norman	5.80.02	02.22.2007	no virus found
Panda	9.0.0.4	02.23.2007	W32/Sdbot.JWH.worm
Prevx1	V2	02.23.2007	Malware.Trojan.Backdoor.Gen
Sophos	4.14.0	02.21.2007	no virus found
Sunbelt	2.2.907.0	02.22.2007	no virus found
Symantec	10	02.23.2007	W32.Rinbot.B
TheHacker	6.1.6.062	02.21.2007	no virus found
UNA	1.83	02.22.2007	Backdoor.VanBot.E9CE
VBA32	3.11.2	02.22.2007	Backdoor.Win32.VanBot.ay
VirusBuster	4.3.19:9	02.22.2007	no virus found