Verify checksums whenever you can on stuff you d/l, even from places like open source mirrors.
The really sneaky ones will run a silent install x seconds after completion of the install routine of whatever it is you thought you downloaded. The setup.exe is really a binder in disguise, and may not get picked up by the scanners for a long time (weeks, months).
The reason it doesn't show up is because each exe is crypt'd and compiled separately for each source location(PPI affiliate, etc.). When it finally does get caught by the scanners, it's only gonna be able to catch the things that came from that particular source. Kinda like the common cold virus. You keep getting it because it rarely has the same footprint.
Fortunately, most of the people doing this are the ones you see at BHW saying "OMFGZ WTF is a aDsenZe!!1" and use iexpress at default settings to make the binders. All you have to do is look at the file properties and you will see it is a self-extracting archive instead of a setup exe.
Or they may not bind them at all. You will see these on P2P, masquerading as a file named something like yoursong.exe and weighing in at ~17Kb. This is what I like to call "fishing with a bare hook."
But if someone knows what they are doing, they can use more elaborate methods to disguise it like changing the icons, hacking up the resource files, matching the filesize to the real exe and changing the modified/creation dates. Can also delay the install of the payload and name the process the same as a commonly-used one. This is usually enough to pass by the moderately tech-savvy users.
They can't duplicate the checksum though, at least not yet. Also, you can use something like sandboxie to isolate the install and watch the processes.
