Assuming fairly dense formats (no .wavs or .bmp images), large files necessarily mean more than small files, so they draw more attention to themselves. "Why is /foo/bar using 300MB of disk?" is a much more likely avenue of inquiry than "Why is /foo/bar using 50KB of disk?".

Except the last time when 20MB was "large" was in the early 1990s. Today, even if someone goes to clean out their harddrive, a 20MB file is unlikely to even appear on the radar.

Unless you're dealing with most corporate mail systems.

I don't quite understand what you mean - the 20MB file would stand out on a mail server? I find that unlikely, unless they're running OpenBSD. Is the 20MB file attached to mail messages? That also seems unlikely, if only because that's a really stupid way to design a virus.

The reason it's a stupid way to design a virus currently is because that was one of the primary attack vectors in the past. Yes, most decent mail systems will protect against this. But some might not -- might as well use what's worked in the past as well as other options.

Also, what if the mail component were used to hide/archive the virus? Hide a virus attachment from someone to themself, then have some bootstrap code (Outlook/email client exploit, perhaps) that loads the email archived virus back onto the comp.