WASHINGTON (09/24/2003) - A computer virus Tuesday disabled a portion of the U.S. State Department's domestic enterprise network, forcing the agency to halt overseas screenings of visa applicants for criminal histories and links to terrorism, a department official confirmed today.
The virus, identified as the Welchia virus, forced the State Department to quarantine the network used by its Consular Lookout and Support System, known as CLASS, which contains nearly 15 million records on known or suspected terrorists and other criminals. As a result, the system was unavailable between noon and 9 p.m. EDT yesterday, said Mary Swann, a State Department spokeswoman.
However, Swann denied earlier reports that indicated the virus had infected the CLASS system and was the cause of the shutdown.
"At no time was the department's classified network infected," nor did it infect the visa screening system, she said. Although e-mail communications were slowed because of the virus, Swann said the interruption of service in the CLASS name-checking system was due solely to security precautions taken by the department.
No visas were issued until applicants could be checked against the system, she said.
The CLASS name-checking system is designed to make it difficult for visa applicants to hide relevant information on criminal histories or terrorist links from State Department consular officers. Complex algorithms are used to provide uniform and consistent translations of names in non-Roman alphabets. The system displays a wide range of potential name matches that a consular officer must review prior to issuing a visa. Other documentation is necessary as well, including a passport, job letters and other data the consular officers cross-check.
The outbreak affected only Windows systems on the State Department's unclassified network in its Washington facility, according to Swann. That network hosts the agency's unclassified e-mail system as well as other unclassified network resources.
Swann defended the State Department's IT security system, saying that the agency has a "very elaborate system" of firewall, intrusion-detection system and antivirus technologies that were all up to date at the time of the outbreak.
The agency couldn't provide statistics on how many Windows systems were infected or how the worm was introduced to the Department of State's network, she said.
Swann also couldn't comment on why State Department systems were vulnerable to the Welchia worm.
Infections on the agency's internal network suggest that Windows systems hadn't been patched with either one of two critical Microsoft software updates that plugged the security holes exploited by Blaster and Welchia, but Swann couldn't confirm the existence of unpatched systems on the network.
First identified on Aug. 18, Welchia spreads by exploiting the same Windows security hole as the W32.Blaster worm.
It doesn't rely on e-mail messages to spread. The worm exploits machines by sending an improperly formatted remote procedure call message to vulnerable systems, causing a buffer overflow on the machines that allows the worm code to spread.
After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft that closes the security hole used by the worm, according to antivirus companies.
Although the number of new Welchia infections is down since August, copies of it are still circulating on the Internet. Today, antivirus company Symantec Corp. still had Welchia rated a Category 4 threat on a scale of one to five, indicating a "severe" threat that is "difficult to contain."
As of 12:30 p.m. today, Swann said the majority of the State Department's desktops were back up and running properly. Officials expect to have the entire domestic network fully functioning by the end of the day.
Paul Roberts of the IDG News Service contributed to this report.