Just published was an interesting article describing for the first time the possibility and example implementation of a RFID based virus. Although it seems quite astonishing that a passive device with such limited resources (about 128 bytes of storage) can do harm, this nicely corresponds to a biological virus - limited in information (although the latter are of course much more complicated usually), passive until in the correct expressive environment and somehow 'physical' due to its incarnation in a physical tag.
The basic idea is that the tag id stored on the RFID tag can be used for various attacks in the RFID middleware, which typically contain DB and Web servers. This could be via buffer overflow attacks (possible since there are commands like 'write multiple blocks' available) or SQL injection attacks which can be very small.
The scenario starts with an infected RFID tag, i.e. a RFID tag with carefully crafted tag id. The RFID reader will activate the tag, read the data, the middleware will use it for SQL queries against a database - where the SQL injection happens, which will prepare data later to be written to subsequent RFID tags. This will spread the virus to other RFID tags (which then will travel around the world).
The authors are able to actually implement such a virus with 127 bytes in a demo scenario, including a small payload which in combination with Apache Server Side Includes will open a backdoor for a brief time ...
Title: "Is Your Cat Infected with a Computer Virus?"
Authors: Melanie R Rieback, Bruno Crispo, Andrew S Tanenbaum
available at http://www.rfidvirus.org/papers/percom.06.pdf.
For more information, see also http://www.rfidvirus.org/