U.S. State Department Blames The Welchia Virus

25 Sep 2003
Virus News


After the shock and horror of September 11, 2001 the U.S.A. decided to fortify its borders with the passage of the Patriot Act. One aspect of the Patriot Act was to upgrade the State Department's Consular Lookout and Support System (CLASS), which contains more than 12.8 million records from the FBI, the State Department and U.S. immigration, drug-enforcement and intelligence agencies. Among the records are the names of at least 78,000 suspected terrorists. All U.S. consulates and embassies check every person applying for a U.S. Visa against CLASS' extensive database of undesired visitors. It is one of many hurdles visa applicants must clear in their often-trying quest to obtain a U.S. visa. The CLASS check is mandatory, without it the issuance of a Visa is not possible. The automated Visa system is programmed to not even print Visa documents until the CLASS check has been run and successfully passed. One would assume, based on the tremendous size, importance and sensitive nature of the CLASS database, that the Consular Lookout and Support System would have been fully protected from all sides against any threats. Recent events run contrary to this assumption. On September 23rd CLASS ceased to function for several hours due to the detection of a computer virus, and thus, for that time nowhere in the world was a U.S. visa issued. With no immediate backup system ready, thousands of visa candidates found themselves in a state of limbo. U.S. government representatives did not specifically name the malicious program that penetrated their computer systems, however, a message sent to all American embassies and consular offices told that the 'Welchia' virus had been found in one facility. Recently Welchia was in the news as the cause of an epidemic at the end of August 2003 when it compromised hundreds of thousands of computers the world over. After first appearing on August 19th Welchia caused quite a stir as one of the few so-called 'anti-virus viruses' designed to neutralize other malware programs. In this instance the antidote became no less infamous than the Lovesan (Blaster) network worm that screamed across the Internet a few days earlier. Just like Lovesan, Welchia penetrates computers via a breach in the Windows security system; it only infects a machine after verifying that Lovesan had previously infected it. Welchia deletes the Lovesan virus, restores the damaged system and downloads the Windows patch needed to close the vulnerability. Despite seemingly good intentions, Welchia is a dangerous virus that achieved a massive scale via its powerful distribution system that enabled it to span the globe within minutes. How it could have managed to penetrate highly sensitive government computer systems one month after the start of its epidemic is hard to understand, especially when it is certain the U.S. State Department has firewalls set up specifically to avert such unsanctioned access. Furthermore, it is important to remember how Welchia spreads. The virus only penetrates systems already infected by Lovesan (Blaster); yet, there has been no mention of the dangerous Lovesan virus by the State Department.