This my understanding of it, but you may want to clarify from other sources
Yup, an XP VBox VM (virtual machine) can be infected by malware etc.
I would treat it as if your you were running the "real" thing and that you can get compromised in the same way.
It installs software the same way and to the same places as a "real" Windows setup so malware knows where to go
One area it differs is in the fact that the VM's virtual hard drive is basically just one file which can be deleted like any other file; the joy is that this "file" is like a little self contained capsule.
An exception is if you have Shared Folders and/or network File Sharing setup which obviously allows data to be sent through to the host machine (and vice versa).
At this point in time I'm unaware of any Windows
malware being able to infect a Linux machine.
I know some people that make a Windows VM and set it up just as they want it, and then copy it a few times. Then when they have to use the Windows VM, they use a "clean" copy of it and then delete it from their system after use. Providing they keep the original "clean" VM hard drive they can keep making copies of it and discard it. Gotta remember to have a least one good copy though.....
BUT in saying all that, I always bear in mind that it's all computer software code thus it's fallible, so good practice should be done whatever system I'm running