The research paper is a few months old, but apparently just being publicized: Researchers at Indiana University modeled how wireless routers, if targeted with a virus, could spread such a virus among other routers. There are a lot of variables involved: whether the administrative password on the router was changed from its default; whether no encryption, WEP, or WPA/WPA2 is enabled; and the heterogeneity of router models, as viruses aren't one size fits all. Even though the paper is weeks old, the notion seems to have captured the mind of technology sites, which are all writing about it. (Some event sparked the paper's rediscovery?)
In their modeling, they looked at wardriving data that let them figure out how close Wi-Fi routers were. They found that there is likely enough density for tens of thousands of routers to be infected over a period of days. In Chicago, for instance, they found 48,000 contiguous routers assuming a 45-meter maximum interaction distance.
The wardriving data let them also determine which routers had which modes of encryption enabled to determine the speed and possibility of attacks. They assumed that routers protected by WPA are immune, which is reasonable; there's no known generic hack for WPA, only cracks that involve precomputed large databases of keys based on default network names (SSIDs).
Their assumption on administrative access to a router is predicated that someone who hasn't changed the router's SSID is likely also to have left the password unchanged. For the rest, they assume that 25 percent of passwords can be guessed with 65,000 attempts, which conforms to other password research. Routers, they found, don't have a mechanism to delay and disable password access due to failed attempts.
One thing I don't see addressed in the report is how many different worms would be required based on the many different models of Wi-Fi routers and the many firmware releases for each. There's an assumption buried that I don't see in which a certain homogeneity of routers--seeded by DSL providers, for instance, and aided by Linksys's dominance in the market?--has to be in place to be sure that enough security holes exist, are unpatched, and can be exploited.