8 Replies Latest reply on Oct 22, 2010 3:24 PM by Henry.Blair1

    leeni4 virus


      We are having some major problems with a virus that is spreading across our entire network. 

      Some background:

      We are a a school district with 15 sites and around 3,750 computers, mostly Windows XP.

      We are running LANDesk 8.8 SP4 with the AV component, set to update daily

      Some systems seem to be catching it before it infects, while others allow it to run (LDAV is showing as real-time service running and latest updates)


      The processes in memory are usually leeni4 or fcevhoo and many instances of iexplore, even if IE is not visibly open.


      This is like no virus we've ever seen.  I've seen it detected as several things, including:

      Trojan-Dropper.win32.DroopTroop.gst and .guv


      Trojan-PSW.Win32.Qbot.og (many variants)






      It doesn't seem to be destructive, but I'm concerned it may be a key logger from what I've been able to find.

      It spreads via SMB using the IPC$ share and copies itself to the remote systems.  It is actually able to cross subnets, which I've not seen from a virus.

      The only way we've been able to limit the spread is by disabling the SERVER service on the workstations.


      Any ideas would be greatly appreciated.