Instead of just infecting Macs, Crisis also infects Windows PCs as well as Windows Mobile devices and, for the first time, a VMware virtual machine. Security researchers originally believed that the malware was limited to simply monitoring the applications Adium, Firefox, Skype and MSN Messenger.
What makes Crisis interesting is that it appears to be specifically looking for virtualized environments and is therefore believed to be the first malware to spread onto a virtual machine. "The threat uses three methods to spread itself: One is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device," Symantec wrote on its blog.
In the case of the virtualized scenario, "the threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool." Symantec stressed that Crisis does not take advantage of a vulnerability in VMware, but exploits a characteristic of virtualization in general and the fact that "the virtual machine is simply a file or series of files on the disk of the host machine."
