That's right, for normal antiviruses, you first need to study a malicious program and only then develop a tool to detect and combat this. Romada works differently, as I understand it.
All antiviruses collect viruses in their database. Otherwise, how can they identify the virus in the file if it is suspected of being infected?