First off, virtually all AV companies have several "fly traps" or "honeypots". A fly trap is a network of desktop computers with Internet access and zero protection that exist to "catch" malware. Bot-scripts on the computers crawl the web looking for risky sites, and break all the rules for safe browsing that are drilled into us normal people. As a result, they pretty much become petri dishes for computer viruses.
These fly traps serve two valuable purposes to security experts; first, these boxes catch new malware that may never have been seen before, giving experts notice that a zero-day threat exists. Second, once they've isolated something new, they can introduce it into a completely isolated, "clean" fly trap with a lot of monitoring tools, and watch it do its thing; see how it replicates, what protocols and ports it uses, what files it modifies, what harmful effects it can have; generally, everything they need to know to be able to protect AV subscribers from this new threat. They can also introduce it to a computer protected by their AV software, and see how well it fares; anything the virus does that the AV doesn't catch and prevent can be specifically looked for by tweaking their virus definition files or their heuristic algorithms to add this known threat.
In addition, AV experts have been at this for years. Decades even. Despite news stories reporting worms like Confickr, Storm, Stuxnet etc, these are the two or three a year that are notable; thousands of new viruses a year go unreported, because they're really just a rehash of something the AV guys already knew about. As Techbrunch said, most AVs have a heuristic detection algorithm layered on top of looking for specific known viruses. There are areas of a computer that are obvious targets (kernel, device drivers, network adapter, I/O hooks), and there are well-known ways to try to get to them. AV algorithms continually scan a protected system looking for these general red flags. Those thousands of new but unoriginal viruses trip the heuristic detection, the AV interrogates the source, collects information, quarantines anything that might have been maliciously affected and calls home to report this new potential malware. This heuristic algorithm basically turns every AV-protected computer in the world into a huge fly trap for the company writing the AV; what better way to see what needs to be defended against than to see infections happening in the real world?