I suspect that such a virus already exists.
It is silently spreading and collecting wallet.dat files as we speak.
Once it has incubated for long enough it will spend all balances at the same time.
This strategy will maximise its profit. By the time infected users find out about it, it's too late.
Let's consider the possibility.
Install on a TrueCrypt volume and run only if the USB key is in and the volume is decrypted?
They would have to get it all at once because the first vulnerability is going to send bitcoin through the floor. http://en.wikipedia.org/wiki/SHA-2
Maybe the designers already know how to crack it?