Hello,
Yes, Many viruses (Downadup.B, for example) attempt to spread by enumerating network shares (including the ADMIN$ shares). They will try to establish a connection as an existing user by authenticating with a predetermined list of common passwords. These attempts are likely to fail, and that could result in Active Directory placing restrictions on the user account that made repeated failed attempts.
In instances where a network experiences widespread lockout and suspects a virus, being an administrator, you should examine their network's audit logs. What resources on the network is the account attempting to access?
Auditing is an important part of a network's security, though it is a feature of Windows and Active Directory rather than of a Symantec product.
In terms of Downadup.B, follow this article:
https://www-secure.symantec.com/connect/articles/best-practice-downadupb-and-additional-information-same
I found Microsoft Article on this Account Lockups:
Description of NTDS replication warning IDs 1083 and 1061, and SAM error ID 12294 because of an Active Directory collision
http://support.microsoft.com/kb/306091
Event ID 12294 — Account Lockout
http://technet.microsoft.com/en-us/library/cc733228(WS.10).aspx
Event ID 675 in Windows' Security Event Log may be a good way to identify the client IP address of computers which are repeatedly trying bad passowrds for Admin, etc accounts :
http://technet.microsoft.com/en-us/library/bb742435.aspx
Hope that helps!!