"Lastly, the malware looks at the system's MAC address and compares it to organizationally unique identifier (OUI) prefixes usually used by virtual machines."
This is just nuts. There is NO reason for a VM to use predictable addresses like this, and this obvious route to identifying the presence of a VM should have been revealed by even a cursory security review. Certainly, the services are a "bigger" issue in this regard, but to not even bother with such a simple & obvious change...
This is why we can't have nice things.