Short version: yes you can get a virus from any website, including youtube and facebook.
There are a huge number of ways in which you can get infected with malware (a virus is a specific type of malware, see https://en.wikipedia.org/wiki/Malware
for more details on this).
To maintain anything resembling a short (but still worth getting a drink now...) answer to this question, I'll stick to the ones that affects most people - not necessarily the most sophisticated.
There is a lot more which could be said here, but I think the most important one for most people to understand is email security, therefore see below for details on how this is the most common vector for malware infection.
The number one infection mechanism is still via phishing email campaigns. Phishing is a malicious form of spam. There are lots of different types of spam which range from simple advertising 'annoying' spam, to heavily targeted spear-phishing email.(https://en.wikipedia.org/wiki/Phishing
These emails typically contain one or more of the following active malicious elements:
b) URLs (hyperlinks)
a) Attachments are fairly self-explanatory, however a common misconception is that they are only malicious if their file-extension is .exe - THIS IS NOT TRUE. The most common form of malicious attachments are .pdf, .doc, .xls, .zip and .rar
The first three are document formats which, when opened, rely on exploiting a vulnerability within the associated software package (typically Microsoft Office or Adobe PDF Reader). Zip and Rar are archiving formats for compressing data such that it is more efficient to send large volumes of data over networks such as the internet.
common technique which all malware authors take advantage of is a default Windows setting: 'hide file extensions for known file types'. What this means is that because Windows knows what to do with a .exe file, it will transform a filename of 'cool-picture.jpg.exe' into 'cool-picture.jpg', making the user think
they're looking at a picture. The obvious giveaway with this is that Windows also knows what to do with a .jpg file, so if it were really
a .jpg then the filename would simply be 'cool-picture' (assuming this default is left on, see below for instructions on disabling this)
b) URLs, unlike attachments, can be used for two motives. As with attachments they can be used to directly install malware on your machine by sending you straight to a malicious or compromised website.
More commonly nowadays they are attempting to steal user credentials for other online services. It is important to remember that excluding intellectual property theft and government/political disruption, all malware is after money. Therefore, in this scenario it is a lot easier to send a million people an email appearing to be from Paypal (including the 'From:' field as this is configurable by the sender to say whatever they want) giving you some reason (they vary) as to why they need you to 'prove your account is active' and thus provide your credentials. To some people, who don't have paypal, this is obvious spam. But phishing emails of this sort range from obvious forgeries (bad grammar, spelling etc, no customer identifiable information e.g. name/account number) to very advanced and accurate imposters, using logos, signatures and real templates they've obtained from the target company (Paypal) to convince as many people to click the link and provide their details as possible.
Mitigation - If you read nothing else in this post, read this bit!
1) Don't click links in emails
2) Don't click attachments in emails
3) Disable images in emails, either from untrusted senders or completely
4) Disable 'hide file extensions for known file types' (in XP, other guides are available via google) by following these steps
If you are not expecting attachments/urls/images but you know the sender, ask them through another channel whether they sent it to you and what it's for. If their email has been compromised then it may have genuinely come from their account, but it wasn't them which did it - that way you help them know they're infected too!
Hopefully that will help more people understand how the bad guys work and therefore help them protect themselves. Safe-surfing to all!