A user sent us the picture of a virus using the rfc1918 address rewrite in nepenthes to detect the honeypot.
Even though it is a good idea to detect honeypots if you make money in internet crime, it is trivial to prevent for those running nepenthes:

Set replace_local_ips to 0 in nepenthes.conf

    downloadmanager
    {
        replace_local_ips           "1";
    };

From what we could see from the screenshot, the attacking worm sends the honeypot a command to download a file with a special crafted path and a rfc1918 local ip address Nepenthes accepts the download,

Link ftp://1:1@172.16.1.210:31021/nepdetect.exe  has local address, replacing with real ip

replaces the ip with the attacks origin ip address, and

Replaced Address, new URL is ftp://xxx.yyy.zzz.145:31021/nepdetect.exe 

downloads the file

Handler ftp download handler will download ftp://xxx.yyy.zzz.145:31021/nepdetect.exe 

The attacking worm detects this behaviour and scores the host as a nepenthes honeypot.

In order to detect the honeypot, the attacking worm has to wait for a try to download the anti-honeypot-file, which means, for each vulnerable host, the worm has to wait for some seconds for the download before asking him to download the real file.

So, if you want to to protect your specism this from getting collected by a nepenthes honeypot, be aware of the performance impact when it comes to spreading your malware, and note that changing a nepenthes config value will screw it anyway.