If I am interpreting this correctly, you would have to download something with this in it, and then install whatever it is, in order to do damage. Am I understanding this?
Yep, just the way 90% of viruses get on PCs.
Correct. And you’d have to type in your admin password to allow it to be installed. And even then it can’t reproduce automatically to other machines.
Yes. But you'd ALSO have to be stupidly running in Root which is not activated in the default install of OS X. Far less than 1/10 of one percent of Mac users have activated a root account. Even fewer will routinely run in root.
That's why it is so hard to believe the claim of a 20,000 unit botnet. First you have to be smart enough to know how to activate root and simultaneously stupid enough to try to rip off, from pirate site, a free copy of trial software that is more easily obtained from Apple's own servers. The BitTorrent sites that had hosted the infected files back in January reported that the total downloads of the malware, before the files were removed, was in the " dozens." What are the odds that any one of those fewer than 100 downloaders was running in root and thereby vulnerable to being infected by this Trojan?