It's possible to trick user to drag-n-drop malicious file into special (for example autostart) folder.
vulners.com/securityvulns/securityvulns:doc:7768