Avoiding trojans is a matter of trust. Consider all of these situations where you can aquire software:
1) Download from P2P
2) Receive via e-mail
3) Download from a website you've never seen before
4) Receive on a disk from a friend
5) Download from a popular server used by many people you know
6) Download from a popular server and verify the checksum of the file
7) Download from a server that includes a cryptographic signature of the file
8) Download from a server that includes a cryptographic signature made from a key signed by a trusted authority
You might notice that list is loosely ordered from least trustworthy sources to most trustworthy sources. Frankly, anybody that trusts software from the first four sources is asking for trouble.
The first and second are downright trivial to spoof. The third can be spoofed too, but the effort of running a website makes it harder, plus it tends to provide contact information that can lead back to you easily. This is a big source of spyware in the Windows world, though.
The fourth relies on your friend being capable of knowing whether his source is trustworthy, and with some friends I just couldn't trust that. The fifth is basic law of averages. If it worked for most people, it should work for you.
The sixth prevents certain malicious attacks. The seventh and eighth defeat nearly any malicious attack and establish explicit levels of trust. In the case of the seventh, you have to trust the person that signed it is who they say they are. In the eighth, you have to trust the trusted authority that believes the person that signed is who they say they are.
So basically, don't trust the first two ever. Never run an application you downloaded from P2P. Scan any data files first if you must have them. Same with e-mail attachments. Not downloading files from strange websites is something Windows users need to learn more than Mac users, but better to learn it now, before Mac spyware exists. Use your own judgement when it comes to software your friends give you.
Downloading from popular websites tends to be safe. There isn't really any protection in it, but if a virus is put on a popular website, it will be found pretty quickly. Adding checksums to the mix is pretty much the same thing, but is handy when there may be a malicious hacker trying to mess with the file.
The final two options are for the paranoid. There are cases where that is a good thing. Cryptograhpic signatures are a very good idea when there is a central distribution server that can be attacked. This is the case with things such as OS patches, browser plugins, and package repositories. If it's centralized and used by a lot of people, paranoid security is a very good idea.
Just a little trust and security primer. This guy running an application he got from P2P is indeed a stupid thing to have done. Trojans will exist, so learn what you can trust and what you can't. It's as simple as that.