It is pretty usual when you try to analyze some malware that does not run in virtual machine or emulator. Using usually very well known tricks it can prevent itself from being analyzed. But what if it does not run even on real computer? The following sample, part of the zbot family, uses volume CLSID comparison as a security check to prevent it being easily analyzed.
When we tried to run this sample on a real machine to get under the hood very quickly, nothing happened. So we started regular analysis and figured out that before any malicious action is taken, the malware loads twice encrypted data from the overlay and after decryption it compares specific bytes with other data obtained from the local machine.
read more.........http://blogs.avg.com/news-threats/zbot-family-runs-selected-systems/