Sorry that I didn't explain it throughoughly.
These are two pictures, one left one right. The right side shows the structure of the file, which is determined by my PE parser. General: It has headers and sections. Sections are the grey scaled tones and often start with a dot in their name. Sections may contain resources, debug-information, exported and imported functions, and executable code. The entry point marks the start of execution, it is displayed as one red square.
The left side are kind of xrays. The left displays the entropy, which is how much information is in there. Like, if you had everything filled with one and the same byte (= no information content), you would get a black area. If you had random numbers in that area, it would be white, because repetition is unlikely. That also means, encrypted and compressed content is very bright.
An example is in the first picture, which displays an infected host file. The virus hides itself by encrypting its body and copying itself into the last section of the file. The last section there is .gdata (see legend to find it).
You can also see that the overlay (= appended data) and the .data section have almost no information content as the area is black. The .text section contains the executable code, you also see the red squared entry point there. Code has a high entropy, but not as much as encrypted or compressed data.
I hope this cleared some things up?
Edit: The Zeus Trojan must be heavily encrypted.
Only protected files look this bright on the entropy picture. This would be a normal (without protection) one:
And another harmless, unprotected file:
