This was on Slashdot a couple of days ago:
[apple.slashdot.org...]

My understanding is that it's more of a root kit than it is a worm - it does all sorts of nasty things, but needs to be installed with root access.

It's a pretty standard root-kit based on a simple bash script which has been adapted to OSX. As ytswy says, there is currently no mechanism for installing it - and if you have given someone administrative access to your machine, they could do anything anyway. That means that the script is not a vulnerability in itself, nor is it a worm (because there is no method of spreading it).

This would only become a problem if a vector is discovered for remotely gaining access to an OSX machine, or if someone uses social engineering tactics (like a fake security advisory sent as spam) to trick a user into running the script themselves.

Once you have root (administator) access, you can do whatever you want, including wiping the entire hard disk.

My understanding is that yes, this trojan/worm needs to do some social engineering to break into your network initially, but then it tries to crack into other OS X boxes on the network by guessing passwords.

If your network has a lot of Mac users with admin access and easy passwords, and at least one user dumb enough to install dirty software, this could be a problem.

That's a lot of ifs, but I did go ahead and change my password here at work, just in case.

Most cheese graters around here are not even protected by any password.

I think we will change this.