A virus could concievably exploit a running piece of signed code (aka an X-box live exploit targeted at a specific game) but even if you were able to store the virus code on the HDD it would still not be signed and would be unable to execute the next time the X-box was started because of a lack of digital signature. It would have to run as SirDice suggested, hopping from box to box which is running the exploitable code. Not sure what you could do with it other than maybe erase savedgames on the victims HDD and propagate, still would be a fun POC if you could find a remote exploit in an X-box live enabled app.

-Maestr0