LNK files can point to DLLs that get loaded by Explorer when it draws the icon for the link target.

I only know this because I watched an excellent video explaining the 0-day vulnerabilities that stuxnet used by Microsoft leet hax0r Bruce Dang.

http://www.youtube.com/watch?v=rOwMW6agpTI#t=13m49s

Is USB autorun not enabled by default in XP? I tried getting some stuff to autorun from a thumbdrive and I never did get it working.

Microsoft recently patched that so it's no longer the default action.

Stuxnet didn't use autorun, it used vulnerabilities in the code windows executes after the insertion of a new flash drive