Yes. Malware can execute without user launching it.
Generally this is accomplished by exploiting a vulnerability in an application or the operating system. Most commonly the malware attempts to modify the system so it can execute at system start.
The list below is by no means a comprehensive nor complete list - just a list of commonly encountered auto-start methods.
Some examples include:
1. By making a registry key entry\entries to start-up at system boot (Poweliks)
2. By installing a *.job file to Task Scheduler to execute (Win32.Confliker.Worm)
3. By placing a start-up file inside the OS start folder
4. Installation of auto-run scripts (AutoIT - Dark Comet RAT variants)
5. By abusing the built-in auto-run feature of Windows (Win32.Autorun.Worm)
6. By registering as a service on Windows so that it is loaded at system start (Wiper.A.Trojan.Backdoor)
The point here that an exploit must occur first.
Malware files downloaded to your system and never opened are "inert" on your system.
Against such techniques HIPS\anti-executable - combined with user knowledge of malware behaviors - is the most capable physical system protection possible.
Until a security soft vendor comes up with a SkyNet that will behave, your brain is the best protection for your system; the security softs are just tools that make the job of protecting your system easier.
If, for example, we talk about malicious Javascript code that infects a web page, "it could auto launch Itself" as inserted code can be an HTML iframe, or an embedded script. allowing the browser loads without getting noticed, malicious content from another remote site. This is not visible to the victim. Usually, the loaded content consists of multiple components designed for the exploitation of client-side vulnerabilities. Such as HTML, JavaScript, Flash, PDF and Java. It is not necessary for the user to click on a link in an email, or surfing the web pages potentially at risk. Loading the legitimate but compromised website, the malicious code runs when the page loads in the browser.
But It is clear that also in this case it is required the intervention of the user who opens the browser and visit the infected/compromised page.
But the question was: can a sample, on our desktop, auto start itself without intervention?
I believe, in this specific condition, the answer is no.
Even in the case of a "time bomb" so a malware running Itself after a preset time, this routine that calculates the "X time" is part of a processed code that needs to be launched, even indirectly by the user.
Malware is a piece of code that should be executed so that Windows can read, interpret and execute the following code lines.
