1. The malware checks to see if it's running as root, meaning euid=0 (effective uid). This is easily accomplished by any Mac user who set up their own machine, because you don't have to "activate the root account" to do it.
"sudo" is available to all members of group "admin", and the default install user is made a member of group admin so they can administer their own machine. As you know, if you run sudo from the commandline, it requests your password and then runs the command that follows, as root (euid=0). I expect that the well-known installation gui-dialog prompt for password is exactly the same mechanism -- allowing the current user to elevate to root privilege by doing a setuid of 0.
It does NOT require activating the user account called "root".
2. You mean "run as root", not "run in root".
True.