You're saying you've found malware that's been code-signed using a Verisign CA as the parent?
If that's so you should tell Verisign. They operate a strict authentication system and don't issue certificates until they've confirmed you are who you say you are. If they've issued a cert to someone being naughty then they'll revoke it.
Windows will of course detect them as valid certificates because Verisign is in the Windows trusted root authority store by default. Start - Run - MMC - Add Snapin - Certificates - Local Machine, then "Trusted Root Certificates" - "Certificates" folder. You'll find them there.
No, it's not possible to create "fake" code signing certs that are still trusted. That's the entire point of PKI, asymmetric encryption etc. You can of course install your own root CA, call it "Verisign" and get it to issue certs will all the same properties as the real Verisign CA's, but your certs still won't be trusted by default.
The entire PKI system in Windows works exactly the same as it does everywhere else. The only difference is that Microsoft include certs from the major issuers by default, which saves you going to Verisign, Thawte etc and installing ("trusting"

their certs manually every time you reinstall Windows.
Little test, not recommended

. Find a website that uses Verisign certs for SSL, then export and delete the Verisign certs from your local trusted authority store. Go back to the website and you'll be warned that you don't trust the cert being used for SSL.
Fun and interesting topic, but you've got a lot of reading ahead
*edit*, hold on, I just re-read that. I think you mean, company A legally bought a cert from Verisign then got hacked, and someone used that cert to sign their own malicious code. In which case yes, that's perfectly possible. But you should still tell the company/Verisign because it's a serious issue - the cert has been compromised and must be revoked.