AFAIK, most virus checkers are fairly stupid.

They have thousands of "signatures" which are either small pieces of code or hashes of bits of code (not sure which), which they can efficiently compare any new binary against.

At the AV company, humans analyse the binary of a new virus (or other malware, f.e. keylogger), determine a part of it which is fairly unique (its "signature") and add that signature to the next update of the virus checker.

The virus checkers won't detect:

- An existing piece of mal-ware which has been manually altered such that the signature is no longer the same
- An existing mal-ware which has been recompiled from source with compiler options sufficiently different that its signature is different
- A new piece of mal-ware, even if it's similar in function to many existing ones
- Worms like Code Red which never write themselves to disc (Code Red is very clever because it exists entirely in memory, hence the scanners can't touch it)

Hence you should not rely on a virus checker to tell you that a binary is safe.

Some work heuristically, they try to detect that a program is bad from its actions. This is unreliable because:

1. In order to do that, you have to run the program, by the time you detect it might have already done bad things
2. "Bad things" are very similar to "Good things"
3. In a server environment, mis-detecting a legit program as a virus will definitely cause denial of service