It exploits lots of really poor practice on people’s networks to spread:
– not bothering with updates
– not bothering with MS security bulletins (or not taking “out of band security update” seriously)
– weak passwords, especially for local admin accounts
– people having domain admin accounts for everyday use
– allowing USB storage including autorun
Anyone who’s a home user who’s been running auto updates (this was patched back in October) should be just fine. Still worth having decent passwords though.