Finding and Deleting the Tsunami Trojan
It has been reported that the variants of this Trojan open connections to some IRC channels and servers, and thanks to this they can be detected. Additionally, searching your /usr/sbin folder for a file called logind will provide evidence of infection (a legitimate file called "logind" can be found in System/Library/CoreServices/ - this is safe).
Using the logind name is significant; Mac OS X developers identify daemon processes (those working in the background) with a “d" in the filename. As a result this piece of malware fools the user into running it by appearing to be a genuine piece of software.
When executed the fake logind process hijacks the genuine com.apple.logind.plist system launch daemon, dropping its own code in that causes the Trojan to be launched each time your Mac reboots.
If you suspect that your Mac has the Tsunami Trojan installed, the first thing you should do is run a detection tool such as Little Snitch, which is a firewall application that can also detect network activity by malware. Attempts to access IRC servers such as pingu.anonops.li, x.lisp.su or any server via port 6667 should be immediately investigated.
Removal of the Trojan is best achieved via Mac-specific software such as F-Secure or Intego, which is much preferable to manually extracting the malware.