Ok, first off you're going about it the wrong way. Yes you should have multiple VMs with different A/V running to scan the file and see if any detect it. If you want to see what happens you're going to have to make a VM that's designed to run malware and have it on a private network with a linux host with some tools installed like netcat, ircd, etc.
The standard run for Malware behavioral analysis is to run it in the target VM with Wireshark, ProcMon, and ProcExp running. ProcMon is good about catching and registry writes and files dropped up to the point where a kernel level rootkit takes over and then it's blind, but you can at least see whats going on up to that point using filters for 'WriteFile' and 'RegSetValue'. Make SURE the log is writing out to disk as a lot of newer malware has VM detection and they sometimes do some nasty stuff like eating the VM instead of their normal behavior. You need to find other VM software that have similar images so if it detects one you can switch to others.
Now for those a bit more skilled we do static analysis using something like IDA pro or OLLYDBG so we can look at the file in assembly and see what it does.
www.virustotal.com is a nice service that you can just submit a file to and it will be run through quite a few AV engines and give you the result. It saves you the time from setting up an AV gauntlet and keeping it up to date.
Oh and the last note that if you're serious about doing malware reseach make sure your machine is running Linux as the host OS. I've seen accidental runs on hosts and it's never pretty as with some of the nastier combo type malware you just have to wipe your machine and reinstall from scratch to ever be able to trust it again.
As for what VMware to use I'd say workstation hands down. The multiple snapshots are very nice as you can have a single image with different states of patching/etc.
