If the file is something that never changes, then what is the point in making a download script? Why not just include it with whatever script the users are downloading anyway? If the file is something that changes, then the MD5 checksum can't be hard coded into the script, which means that it would have to be located on the website as well. And if the file is located on the website, then the hackers would just alter while they are uploading their virus.
Maybe I'm just paranoid, but if I found out that a script used was automatically downloading and executing an exe file from some random webserver, I would drop that script like a dirty sock.
-genius_at_work
