I would recommend that you not run malware especially not worms if you aren't confident about how to manage a VM environment for malware testing. Typically in VirtualBox, any malware that could exploit it and jump out, have those holes plugged pretty quickly by Oracle (the owner). Nothing is perfect so there will be more exploits in the future. I would also recommend a VPN to encrypt the network on your host which in return will encrypt the internet on your VM if you have networking like NAT setup. Some malware will know it's in a virtual machine so it could do several things including:
try to exploit a VM's code and jump to the host (worms will jump into the network regardless of VM or not - I'm not entirely sure but VPN and NAT networking should prevent a worm from spreading - better to not test or disable networking on VM), some will delete themselves almost instantly (sometimes malware could just hide or move itself then infect the VM - that doesn't mean it's VM aware), and some will simply not do anything as well as possibly tell you it can't run in a VM with a dialog box.
I would
NOT recommend using folder sharing, clipboard sharing (host to guest should be fine though, that's what I use and I've run thousands of malware under it), or using a bridged network.
I would recommend running a firewall and AV on the host but sometimes it may kill the test by blocking a malwares access to the internet. Again, I recommend using a VPN to avoid criminals knowing your IP, hitting you with a botnet and getting in trouble with your ISP or the government itself, etc. I can't recommend a VM other than VirtualBox since you can set up snapshots to clean up the VM after your done with it. Otherwise you might have to copy/clone the VM VD (virtual drive) before using it so you can have a clean backup. If you use VirtualBox, don't use extension packs as I hear this can create openings for malware.
Even though I am as experienced as I am with computers and VM's, even I still feel uneasy about running malware. Backup your computer as
@XhenEd suggested. It's a smart idea no matter the reason. Preferably on a separate, external HDD. Or disconnect the HDD/Partition so the computer can't access it and infect it while testing malware. Even experts should feel a little uneasy. It's called unknown malware because even they don't know what it does. That's why it's run in a super isolated environment that VirtualBox and others probably couldn't provided at least by default. Some even have dedicated computer for such testing without networking which is the best and most ideal.
As for having malware on your hard drive, it's been mentioned above that as long as you don't run, they can't do anything. Most people in malware hub download the viruses to the host and scan (context) or on extraction. This is fine. I would not click to delete, but simply highlight then delete to avoid an accidental double click or run (if you have your computer set up to run on single click).
Hope this rant helps you protect yourself or to persuade you to not bother testing malware. If your not running the malware, don't worry about it. You'll be fine even without any safe guards in place.
