Perhaps your two choices are: if you can recognize valid traffic, forward it and block eveything else (espeically since the hosts have dedicated functions); or identify the virus and block just it.
QoS commands would be one way to both identify traffic and pass it or block it. NBAR the specific feature that might be used for identification.
If you can identify "good" traffic, you pass it and block all else, or perhaps very much rate limit the unknown traffic. The latter would keep a virus from flooding your ATMs and POS, but this wouldn't be good if the virus can infect them.
Since you mention the virus uses dynamic ports, to identify it, you might check whether Cisco has a NBAR PDLM to do so. If not, NBAR can be configured for some packet inspection, but it might only be when using the HTTP protocol.
If you drop a 6500 with sup32-PISA in line, I recall it's FPM feature might allow you to better see and then drop virus packets.
This link, http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/QoS_SRND/BranchQoS.html#wp89756, provides some more information about using NBAR to handle various worms.
Considering the likely importance of this issue to you, it something you might want to retain additional consultation for.