Something that's often forgotten is you don't have to create a file with a perfectly matching MD5 or SHA1. All you need is a file with hashes that match at the beginning and end, and for enough of the other hex digits to *look* ok.
Though semi-matching *two* independent hashes would be a neat trick for the bad guy to pull. I'd worry that MD5 and SHA1 are not particularly independent, though. They are algorithmically close.