Well whaddya know! McAfee just picked up BRAZIL.PIF in my Windows directory! It doesn't seem to have activated, since none of the other files or registry entries that it spawns are present on this 98SE PC or other other 98 PC that is occasionally brought onto the network (the other machines are XP Pro and Suse Linux 8.1). All (few) shares are strong password protected and mostly r/o. The appropriate M$ patch for 98SE has been in place for ages. The firewall shows no udp/137 probes (plenty of others), all un-needed ports are closed and open ports are filtered. AV/firewall is religiously up to date. JPSoft's local port scanner shows just about everything is closed and Ad-Aware shows clean. Mailwasher cleans out the crap before Outlook 98 downloads it and HAWK and the scanner check everything that comes in.

Now how in the hell did it get there?

Two good links, but I'm no nearer an answer:
http://www.mynetwatchman.com/kb/security/ports/17/137.htm
http://www.dslreports.com/forum/remark,6233926~root=security,1~mode=flat

Few months ago I had that buried in my Win ME machine's Restore Files so that although McAfee repeatedly said it had purged it from the system it kept reappearing.

Solution was to delete the Restore Files (used Emergency Recovery Disk to boot). Then reactivated "Restore" and carried on rejoicing.

Where it came from? Because McAfee has problems with Windows ME I had to disable it deliberately to fix the OS and I inadvertenly allowed the PC to acess the Web. So I was without McAfee's download scanning for a couple of hours and it can only have been then that the beast got on to the machine.

After that I "binned" ME and converted the machine to Win2K.

Symantec (http://securityresponse.symantec.com/avcenter/venc/data/w32.opaserv.e.worm.html)

W32.Opaserv.E.Worm is a variant of W32.Opaserv.Worm. It is a network-aware worm that spreads itself across open network shares. It copies itself to the remote computer as the file Brasil.exe or Brasil.pif.

This worm also attempts to download updates from www.n3t.com.br, although the site may have already been shut down. Indicators of infection include:

The existence of the files Brasil.dat and Brasil!.dat, or Put.ini in the root of drive C. This indicates a local infection (that is, the worm was executed on the local computer).
The existence of the Put.ini file in the root of drive C. This may indicate a remote infection (that is, the computer was infected by a remote host).