In-Depth

State Department Blames Welchia Virus For Shutdown

Visa applicants left high and dry as government database hit with virus

• By Eugene Kaspersky
• 10/15/2003

Following the events of September 11, the United States decided to fortify its borders with the passage of the Patriot Act. One aspect of the act was to upgrade the State Department’s Consular Lookout and Support System (CLASS), which contains more than 12.8 million records from the FBI, the State Department, and U.S. immigration, drug-enforcement, and intelligence agencies. Among the records are the names of at least 78,000 suspected terrorists.

All U.S. consulates and embassies check every person applying for a U.S. visa against CLASS’ extensive database of undesired visitors. It is one of many hurdles visa applicants must clear in their quest to obtain a U.S. visa.

The CLASS check is mandatory; a visa cannot be issued without it. The automated visa system is programmed to not even print visa documents until the CLASS check has been run (and passed).

One would assume, based on the tremendous size, importance, and sensitive nature of the CLASS database, that the Consular Lookout and Support System would have been fully protected from all sides against any threats. Yet on September 23, CLASS ceased to function for nine hours because it detected a computer virus. During that time, nowhere in the world could a U.S. visa be issued. With no immediate backup system ready, thousands of visa candidates found themselves in a state of limbo.

United States government representatives did not specifically name the malicious program that penetrated their computer systems. However, a message sent to all American embassies and consular offices said the Welchia virus had been found in one facility. Recently Welchia was in the news as the cause of an epidemic at the end of August 2003 when it compromised hundreds of thousands of computers the world over.

[Editor's note: This isn't the first time the State Department encountered Welchia. On August 20, six network segments were isolated and scanned. In the State Department briefing the following week, spokesman Philip Reeker noted: "So they tell me that in our examination we found some evidence of the worm and took steps necessary to isolate and remove it from the Department's network. The most affected part of the State Department's overall system was the domestic passport offices, where they experienced a slowdown."]

After first appearing on August 19, Welchia caused quite a stir as one of the few so-called “anti-virus viruses” designed to neutralize other malware programs. In this instance, the antidote became no less infamous than the Lovesan (Blaster) network worm that screamed across the Internet a few days earlier.

Just like Lovesan, Welchia penetrates computers via a breach in the Windows security system. It only infects a machine after verifying that Lovesan had previously infected it. Welchia deletes the Lovesan virus, restores the damaged system and downloads the Windows patch needed to close the vulnerability. Despite seemingly good intentions, Welchia is a dangerous virus that spread via a powerful distribution system enabling it to span the globe within minutes.

How it could have managed to penetrate highly sensitive government computer systems one month after the start of its epidemic is hard to understand, especially when the U.S. State Department no doubt has firewalls set up to avert such unsanctioned access.

Furthermore, it is important to remember how Welchia spreads. The virus only penetrates systems already infected by Lovesan (Blaster); however, there has been no mention of the dangerous Lovesan virus by the State Department. Given such silence, it is possible that there was never any Welchia infection. Rather, this account could have been used as a pretext to smooth over another technology related incident. It's unlikely we'll ever know for sure.