They can be spread through USB devices, internal networks, etc.
http://drdobbs.com/windows/227100042USB Drive Virus Attack Verified
By Adrian Bridgwater, August 26, 2010
Pentagon cyberstrategy brought into question
U.S. Deputy Secretary of Defense William J. Lynn has verified the occurrence of a 2008 security breach where a USB stick was used on a U.S. military laptop at a base in the Middle East. Saying that today more than 100 foreign intelligence organizations are trying to hack into American military digital networks, Lynn suggests that the Pentagon has finally recognized the disastrous threats posed by cyberwarfare.
According to Secretary Lynn, the attack was initiated when an infected flash drive was inserted into the military laptop during operations at an unspecified location in the Middle East. The malicious computer code, placed there by a foreign intelligence agency, then uploaded itself onto a network run by the U.S. Central Command.
"That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control. It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary," said Lynn.
Secretary Lynn described this previously classified incident as the most significant breach and wake-up call of U.S. military computer use ever. The Pentagon's operation to counter the attack, known as Operation Buckshot Yankee, is said to have marked a turning point in U.S. cyberdefense strategy.
<snip>