More than 600,000 Apple Macs - half of them in the US - are believed to be infected with the Flashback trojan.
According to Russian antivirus company Dr Web, there are also significant numbers of onfected machines in Canada, the UK and Australia. Of the US victims, 274 are in Cupertino, California - Apple's home town.
"This once again refutes claims by some experts that there are no cyber-threats to Mac OS X," says Dr Web.
Security firm F-Secure has instructions on how to identify an infection and remove it, here.
While Flashback first appeared about six months ago, infecting only older Java installations, the new version exploits a vulnerability that's been around for about six weeks and attacks more up to date versions too.
Apple's already released a patch, here.
But Chester Wisniewski of security firm Sophos says Apple's been too slow to respond.
"This does make you wonder whether Apple takes security as seriously as it should. Perhaps its public facing image of being invulnerable is the prevailing attitude within the company," he says.
"Why Apple did not deploy these fixes before Mac users were victimized by criminals is unclear."