Doing PAT you will receive multiple entries which a person is connecting to you and opening multiple ports. This is normal.
First off, I would turn off IP Fast Switching (no ip route-cache) on all the nat inside/outside interfaces if its not already turned off. The two dont work well together, and always saw various issues when the two worked together. Second, I would add a packet sniffer to your network and verify the packets are indeed accessing your LAN, or if its just a small bug in which the cisco router is generating the information you are seeing.
Now I havent really read much on the Code Red virus, but I know it sends a GET request to your port 80 server. Maybe if you have the patch, the server blocks the GET request attempts in which it doesnt show anyone accessing your web server.
