With Virtualbox (or VMware, it should be similar), you should be able to use "Snapshots" to rollback to a previous state.
The VM has to be powered off to be able to "Snapshot" the VM state. You can have multiple snapshots.
I'd recommended turning off the network card in Vbox/VMware before fiddling with the malware.
As to "how" to locate the changes the malwares as done, I do not know that part.