[drdrey]

Binary checksums are usually not very helpful for identifying malware. The fact that the binary they were looking at was called "unpacked" suggests that there would be packed versions out there, and they would have a different checksum.

[clinton_sf]

Yes. And the malware could be polymorphic. Or there could be multiple versions of the same "core" out there. It's not clear to me how sophisticated virus (malware) scanners for OS X are with dealing with that.

[lm2s]

From what I know (which is not much) scanners, among other things, search for identifying patterns in files. So there is an identifying pattern of each discovered malware/virus in a database.