So far it seems that whatever is unique for a certain subject, it is used as a definition. I've been researching a lil' bit too. If a file has a common MD5, then that is used. If it is polymorphic, but the first 10 bytes and file size are common, then that is used. As far as I'm concerned, standardizing signatures with static malware is easy, no problem. Heuristics, OTOH, are a biyatch. The only thing I can think of are signatures that send instructions to the scanner, but then 2 things side effect, malicious definitions and slow scanning. I fear the worm that uses extensive code from hydan.

Malware in general uses reg values, adware for the BHO's and virii for startup methods. Malware isn't really a challenge to code, it's the vector that is. Exploiting IE or outlook is a daunting task, all jokes aside. Right now, it seems to be a fight between static malware and static signatures. Polymorphic malware is simple and easy to concept, heuristic scanning, is extremely hard. Hard because it's slow, can false positive, and isn't 100% accurate.