Welchia virus disrupts US State Dept network

A computer virus yesterday disabled a portion of the US State Department’s domestic enterprise network, forcing the agency to...

A computer virus yesterday disabled part of the US State Department’s domestic enterprise network, forcing the agency to halt overseas screenings of visa applicants.

The virus, identified as the Welchia virus, forced the department to quarantine the network used by its Consular Lookout and Support System, known as Class, which contains nearly 15 million records on known or suspected terrorists and other criminals.

As a result, the system was unavailable between noon and 9pm local time yesterday, said Mary Swann, a State Department spokeswoman. 

However, Swann denied earlier reports which indicated that the virus had infected the Class system and was the cause of the shutdown. 

Although e-mail communications were slowed because of the virus, Swann said the interruption of service in the Class system were soley because of security precautions taken by the department. 

No visas were issued until applicants could be checked against the system. 

The Class name-checking system is designed to make it difficult for visa applicants to hide relevant information on criminal histories or terrorist links from State Department consular officers.

Complex algorithms are used to provide uniform and consistent translations of names in non-Roman alphabets. The system displays a wide range of potential name matches that a consular officer must review before issuing a visa. Other documentation is necessary, such as a passport and job letters. 

The outbreak affected only Windows systems on the State Department's unclassified network in its Washington facility. That network hosts the agency's unclassified e-mail system as well as other unclassified network resources. 

Swann defended the State Department's IT security system, saying that the agency has a "very elaborate system" of firewall, intrusion-detection system and antivirus technologies, which were all up to date at the time of the outbreak. 

The agency was unable to provide statistics on how many Windows systems were infected or how the worm was introduced to the network. 

Infections on the agency's internal network suggest that Windows systems had not been patched with either one of two critical Microsoft software updates which plugged the security holes exploited by Blaster and Welchia, but Swann could not confirm the existence of unpatched systems on the network. 

Welchia, which appeared last month, spreads by exploiting the same Windows security hole as the W32.Blaster worm. It exploits machines by sending an improperly formatted remote procedure call message to vulnerable systems, causing a buffer overflow on the machines which allows the worm code to spread. 

After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft which closes the security hole used by the worm. 

Although the number of new Welchia infections is down since August, copies of it are still circulating on the internet. Antivirus company Symantec still rated Welchia as a Category 4 threat, indicating a "severe" threat that is "difficult to contain".

Dan Verton writes for Computerworld

Read more on IT risk management