Malware can't spread via ultrasound, but it could certainly communicate via ultrasound. To spread would require that a sound picked up by the microphone would be executable, and in general, that can't happen. (In specific it can, of course; one could build a program to execute things from the microphone on purpose. But generally microphones do not get their input executed, and any hardware that did that would be incredibly, insanely broken. Mind you, I'm not saying that doesn't exist... just that it would be incredibly, insanely broken. Even by the standards of embedded hardware programming.)
Also, I don't think the badBIOS guy claimed it was spreading via ultrasound, that was sort of a generalized misinterpretation in the community.
Microphone injection reminds of the picture going around with the person who taped a sql injection attack over their license plate to screw with the traffic cams.
Also, I don't think the badBIOS guy claimed it was spreading via ultrasound, that was sort of a generalized misinterpretation in the community.