HTTP transfer can take place either by requesting the direct file (example:
http://somedomain.com/virus.exe), which is very easy for IDS systems or by serving the file from a dynamic server script (php) using the "attachment" content disposition mime type.
Example of http request of url direct file request using tcpdump:.UL.....GET /nginx/download.exe HTTP/1.1
Host: 82.78.227.176
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Connection: ...