U.S. immigration system hit by virus

The U.S. Department of State struggled Tuesday to quell an outbreak of the W32.Welchia Internet worm on the department’s computer systems.

The worm infestation slowed e-mail systems at the massive federal agency and prompted technical staff to suspend network links between Washington, D.C., foreign embassies and consular offices for nine hours to halt the worm’s spread.

That move disrupted the Consular Lookout and Support System (CLASS), which is used to check the names of visa applicants against a database containing the names of millions of people who are ineligible to receive a U.S. visa, according to a spokeswoman.

Contrary to some published reports, the Welchia worm did not infect machines used by CLASS, she said.

“We want to emphasize that the name check system was not attacked,” she said.

The worm outbreak affected only Windows systems on the State Department’s unclassified network in its Washington D.C. facility, according to Mary Swann, a spokeswoman for the Information Resource Management (IRM) bureau, which manages the State Department’s IT.

That network hosts the agency’s unclassified e-mail system as well as other unclassified network resources, she said.

However, with network connections to the CLASS database in Washington, D.C. severed starting at around 4:00 PM GMT, the system could not function, the State Department spokeswoman said.

Department technical staff restored the network connections at around 9:00 PM local time, 1:00 AM GMT on Wednesday, she said.

Staff at the department’s Information Resource Management Bureau were incrementally bringing State Department machines back online in the Washington D.C. facility Wednesday to prevent reinfection, Swann said.

Swann defended the State Department’s IT security system, saying that the agency had a “very elaborate system” of firewall, IDS (Intrusion Detection System) and antivirus technology that were all up to date at the time of the outbreak.

IRM could not provide statistics on how many Windows systems were infected or how the worm was introduced to the Department of State’s network, Swann said.

Swann could also not comment on why State Department systems were vulnerable to the Welchia worm.

Infections on the agency’s internal network suggest that Windows systems had not been patched with either one of two critical Microsoft software updates that plugged the security holes exploited by Blaster and Welchia, but Swann could not confirm the existence of unpatched systems on the network.

The interruption slowed processing of U.S. visas worldwide. Consular staff cannot print official visas without first running the applicant’s name through the CLASS system.

However, applicants who had already been checked against the CLASS system could still be issued U.S. visas late Tuesday, the spokeswoman said.

Other visa functions such as processing applications and interviewing applicants do not rely on CLASS and were unaffected by the worm outbreak, she said.

First identified on Aug. 18, Welchia spreads by exploiting the same Windows security hole as the W32.Blaster worm.

The worm does not rely on e-mail messages to spread. The worm exploits machines by sending an improperly formatted RPC (remote procedure call) message to vulnerable systems, causing a buffer overflow on the machines that enables the worm code to spread.

After infecting vulnerable Windows 2000 or Window XP machines, the new worm searches for and removes the Blaster worm file, Msblast.exe, and attempts to download and install a Windows software patch from Microsoft that closes the security hole used by the worm, according to antivirus companies.

Although the number of new Welchia infections is down since August, copies of the worm are still circulating on the Internet. On Wednesday, antivirus company Symantec Corp. still had Welchia rated a Category 4 threat on a scale of one to five, indicating a “severe” threat that is “difficult to contain.”

On Wednesday, the U.S. embassy in the U.K. and other countries reported no problems with the CLASS system and no delays in issuing visas.

The State Department’s internal investigatory arm, the Bureau of Diplomatic Security, was investigating the Welchia outbreak and would issue an extensive report, Swann said.