With the preceding in mind, how does SPF prevent a virus-infected,
hijacked computer from sending abuse email?
It doesn't. It DOES, however, make them accountable to either the
domain used by the owner of the infected machine, or by a throw-away
spammer domain.
It's worth pointing out, unless I'm mistaken, that the entire endemic
population of mail worms would fail under SPF. None of them would
authenticate because they all pick MAIL FROM addresses essentially at
random and then use built-in MTAs, none of which will be registered in
any DNS.
It would also be much harder to write one that would be successful, and
the messages would actually come from where they purport to come from,
making it easier to shut down the worm. For instance, if there is a
throwaway domain involved it would be quickly shut down.