Symantec officials now say the company has determined that the Crisis JAR (Java archive) file contains executables for Mac and Windows.
The Windows code uses three techniques to spread.
It searches for VMware virtual machine images and then copies itself into those images.
"This may be the first malware that attempts to spread onto a virtual machine," said a Symantec spokesperson.
Secondly, Crisis copies itself and an autorun.inf file onto removable drives.
"[Crisis] is an advanced threat not only in function, but also in the way it spreads," the spokesperson added.