In general, an unknown writer identifies a vulnerability in a common system, writes software to exploit it and releases it to his chums and the antivirus companies, sometimes into the wild. The virus is analysed, a unique pattern within it is identified and the antivirus companies release the update to their customers.
One approach to counter that is heuristic analysis, where software examines email attachments and incoming files and attempts to work out what they actually do. A more advanced form of heuristic scanning involves running the code, either in emulation or a virtual machine, and watching for dangerous activity.
Yet another approach is to monitor not the suspect code, but the entry points to the operating system: as software runs, the antivirus program constantly checks for dangerous activity.
One of the latest demonstrations comes from Washington University, where John Lockwood and his students have developed a device called the Field Programmable Port Extender (FPX) that can scan incoming bitstreams at up to 2.4 gigabits per second. The hardware builds incoming packets into a message, analyses the protocol headers and compares the contents of the message against a database of known signatures — all things that are normally done in software.
More info: [url=http://insight.zdnet.co.uk/0,39020415,39118047,00.htm]http://insight.zdnet.co.uk/0,39020415,39118047,00.htm[/url]