It seems like a new spam bot is currently being developed. Few days ago it was posted a pretty good analysis of a relatively simple spam bot, which Trend Micro detects as TROJ_PROXY.AIF.
This spam bot is quite straightforward. On execution the trojan
(TROJ_PROXY.AIF) issues a DNS query to a single domain in order to
obtain an IP address in order to connects to a C&C (Command and Control ). The C&C traffic is in plain text and one can easily identify how the C&C works.


We say the TROJ_PROXY.AIF is simple because, unlike other spam bots like WALEDAC, the former does not have any C&C command encryption or a robust C&C (takedown the domain and they’re out of business).
One saving grace of this spam bot however, is its implementation of certain techniques to avoid spam filters.