I've been thinking...
Having see some botnets in action, and how long it takes for AV companies, update their signature data to pick up new variants, surely... it makes sense to them to have a tool with which you can analyse a suspect binary and generate a sig from the suspect binary (NOTE this sig does not necessarily need to be an all singing all dancing version) and then load THAT sig file into the enterprise AV engine. This way the botnet can be blocked as soon as it is detected... instead of waiting a week or in some cases 2 weeks for the AV companies to role out a generic sig file? Or are there AV companies doing this?
Any way it looks like a new attack vector has been found, and that is VM software to host different OS'es, the gist of the technique seems to be that the these VMs need to communicate in some form with the "host" or main OS NOW... if your VM is hosting a vulnerable OS a malicious bit of code can infect the VM hosted software and "jump" across to what could be secure OS...
http://www.codeproject.com/system/VmDetect.asp?print=true
http://chitchat.at.infoseek.co.jp/vmware/vmtools.html