Yes. But you'd ALSO have to be stupidly running in Root which is not activated in the default install of OS X. Far less than 1/10 of one percent of Mac users have activated a root account. Even fewer will routinely run in root.
That's why it is so hard to believe the claim of a 20,000 unit botnet. First you have to be smart enough to know how to activate root and simultaneously stupid enough to try to rip off, from pirate site, a free copy of trial software that is more easily obtained from Apple's own servers. The BitTorrent sites that had hosted the infected files back in January reported that the total downloads of the malware, before the files were removed, was in the " dozens." What are the odds that any one of those fewer than 100 downloaders was running in root and thereby vulnerable to being infected by this Trojan?
I didn’t even know I had something called root. And I now am beginning to seriously doubt that “The Opera Gala: Live from Baden-Baden (2007)” was one of the infected downloads. Oh well. Better the DVD.
1. The malware checks to see if it's running as root, meaning euid=0 (effective uid). This is easily accomplished by any Mac user who set up their own machine, because you don't have to "activate the root account" to do it.
"sudo" is available to all members of group "admin", and the default install user is made a member of group admin so they can administer their own machine. As you know, if you run sudo from the commandline, it requests your password and then runs the command that follows, as root (euid=0). I expect that the well-known installation gui-dialog prompt for password is exactly the same mechanism -- allowing the current user to elevate to root privilege by doing a setuid of 0.
It does NOT require activating the user account called "root".
2. You mean "run as root", not "run in root".