Without knowing more detail about how your router is configured it is difficult to give an exact answer to your question. But given what you have described I think it is not likely that this is virus traffic. I suspect that the traffic that shows up in the flow cache to null 0 is traffic which your router does not know how to forward (nost unreachable or network unreachable) and was discarded.
If you want to investigate this further I suggest that you take one or two examples from the flow cashe and do a show ip route for that destination address.
Null0 is used to mark packets/flows that should be discarded. This can be due to actual null routes, matching the "deny" in an ACL, or other issue. A CEF entry pointing to 'null0' is created to avoid reprocessing the route/ACL/etc for subsequent packets of a flow.
We are pleased to announce availability of Beta software for 16.6.3. 16.6.3 will be the second rebuild on the 16.6 release train targeted towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are looking for early feedback from custome...