The viruses can use the credentials of the infected user. That is
"legitimate", until someone reading the email realizes its not and
complains. These send 40-50 messages per IP, and is hard to detect as
bulk.
Reports from some operators of DCC clients at non-trivial sites
claim that the DCC does a tolerable job against SoBig.F. This is
without the Greylist support now available in the DCC client code.
The DCC detects bulk mail, defined as substantially identical
messages from any SMTP client senders. I'd not expect the DCC to do
well against most worms or viruses. SoBig is somewhat different.
(I won't talk those differences in public or with people I don't know
well enough to say they'll also be descrete. Like other people who
care more about fighting viruses and spam than being known as fighters
of viruses and spam, I think the profit in idle chatter is not worth
the cost of giving even trivial aid and comfort to the bad guys.)
As has been pointed out, all of this belongs in the ASRG mailing list
if anywhere.
See http://irtf.org/charters/asrg.html
and
https://www1.ietf.org/mail-archive/working-groups/asrg/current/maillist.html
Vernon Schryver vjs(_at_)rhyolite(_dot_)com