Remotely triggered Trojans: 

Virus writers do not need their Trojan to be run as soon as it is
stored. If they know where it is and what it is called, they can use
other HTML code to run it later. One contributor to hackers' Web
site L0pht provided the following snippet to demonstrate this. 

First place a copy of Calc.exe in your Windows\System32 folder.
Then create a valid HTML page containing no more than the
following code in the body of the page: 

CODEBASE='c:\windows\system32\calc.exe'> 

Open this file in Internet Explorer ­ and watch Calc being run. It
takes little imagination to see how easy it is to get a hidden Trojan
to run silently.