There are different sorts of malware.
A traditional form of virus or worm can sit on the USB, but will not be
activated until triggered - usually by opening the file or attempting to
run the application containing the virus. The answer here, obviously, is
1. Specific USB attacks may emulate a keyboard and issue commands - this
may allow files to be exfiltrated or malware to be installed. This will
affect the sys-usb device *and perhaps dom0*. If you have sys-usb
automatically attach keyboard without prompt you wont notice this.
2. A bad USB may also spoof a NIC - unlikely to be relevant in Qubes unless
you have combined sys-net/usb.
3. A bad USB may attack the controller, and then infect controller chips
of other USB devices connected to the computer. If possible, separate
controllers, and use them for specific purposes - e.g have one
controller attached to an "open" sys-usb and **only** use that for
4. A modified USB may detect that the computer is starting up, and boot a
small virus which will infect the operating system prior to boot. Don't
boot your machine with USB devices attached.
5. Other stuff.
So the broad answer to your question is "Yes".
Depending on the type of attack, you can mitigate risk by using
disposable sys-usb qubes, limiting USB device types within sys-usb
using udev rules, separating controllers and so on.
If you think you are a real target, don't use USB - it takes seconds to
physically disable USB ports. Port lockers are also available, if you
*must* have a USB port.