I recently wrapped up an analysis of a Ramnit sample. Here is a download link for the PDF version and a link for the Google Docs version. The analysis is kind of a hybrid of an incident response report and a description of interesting low level features. The analysis does not focus on functionality or commands of the malware but how the malware interacts with parts of the operating system. The sample is from 2010. I was hoping to have downloaded one of the newer samples featured by on Microsoft's Malware Protection blog but that didn't happen on my first sample download. Sadly by the time I realized the compile date it was too late. I was already way too curious how the sample worked to quit. If anyone has a hash of one of the newer samples featured on MS's blog please shoot me an email or leave a comment. I'd like to look at the MITB injection features.
Disclaimer: The PDF was exported from Google Docs. I have noticed sometimes the images won't render properly in Firefox pdf.js.