'Love' bug swarms over state, federal agencies

By GCN Staff

MAY 4'A fresh wave of virus-loaded e-mails disrupted government operations today as the "ILOVEYOU" infection swiftly spread around the world, helped along by unsuspecting victims who opened what appeared to be affectionate messages from friends and colleagues.

Officials at the Computer Emergency Response Team Coordination Center at Carnegie Mellon University in Pittsburgh said the ILOVEYOU virus, which targets users of Microsoft Outlook, is similar to last year's Melissa virus. Both spread as an e-mail attachment, but I LOVE YOU is delivered as executable program rather than as a macro program in a Microsoft Word document [see story at www.gcn.com/archives/gcn/1999/April5/1.htm].

When the executable attachment is run, under certain conditions, it will send copies of itself to all addresses in the user's address book. The virus also spreads through other means, such as infecting other files on the disk on the local machine, and on network-mounted disk drives, CERT said.

The House Government Reform Committee received hundreds of affected e-mails.

"I personally got 30 or more of these e-mails," said Mark Coralla, committee spokesman. "They came in batches of five to six. Others got hundreds."

Corinne Zaccagnini, the committee's chief information officer, said two to three users out of 140 opened the e-mail.

"These people were those that got in really early-before the notice went up," Zaccagnini said. She received a page from the House Information Resources office at 8 a.m. while she was watering her flowers, she said. She raced to the office, trying to notify as many users as possible via voice mail while en route. When she reached the office she posted signs on all entrances, directing users to delete the messages.

She said HIR also posted a warning on its intranet site at 7:55 a.m., and sent out a voice mail to all House users at 8:40 a.m. HIR than implemented a server rule, which scanned all e-mail subjects every 15 minutes to reject e-mail with the subject "ILOVEYOU."

Zaccagnini said her office also implemented a client scanning system to catch any affected messages that slipped HIR's scan.

The House pulled though pretty well, but the notification could have been quicker, she said.

The Immigration and Naturalization Service reported that the virus affected files with JPEG extensions housed on a server at INS headquarters. The server was not shut down, and mission-critical systems were not affected, a spokesman said.

Tracy Williams, director of technology development in the Office of the Senate Sergeant of Arms, said only a half dozen Senate users reported problems from the virus.

Williams said Senate users were not affected because the chamber uses Lotus cc:Mail for messaging.

A handful of Senate offices shut down their servers as a precaution, he said. His office discovered the problem between 7 a.m. and 8 a.m., and sent out warnings by 9 a.m. to Senate users.

Although most information technology staffs at federal agencies moved quickly to shut down e-mail systems in an attempt to prevent infection, some were too late.

"We were notified this morning about 7:30 or 7:45, but it was already inside the system," said Craig Luigart, CIO at the Education Department.

By that time, several hundred Education employees had received the virus, and 17 launched it, he said. Education's e-mail system was up and down all day as several employees accidentally re-infested the system by opening the attachment, he said.

"We have it under control, but there has been an impact on productivity," Luigart said. "It is a CIO's nightmare."

The Energy Department's East Coast facilities suffered from the attack, which forced some smaller sites to shut down their systems, said Lisa Cutler, an agency spokeswoman. West Coast facilities were warned about the virus before it affected them, she said.

At the Social Security Administration, IT workers took the e-mail system offline.

"The virus is on our computers, but it hasn't affected daily business," said Mark Hinkle, an agency spokesman. While the e-mail portal on SSA's Web site was disabled, the rest of the site is still operational, he said.

Systems at the Commerce and State departments weren't affected, officials said. At Health and Human Services, where workers were receiving several thousand infected messages per hour at one point, the staff prevented serious problems by using a voice mail message to warn staffers about the virus before they logged on to the network.

Other federal agencies reportedly hit included the Pentagon and other Defense Department locations, the Federal Reserve and the Coast Guard.

Thursday afternoon, Defense spokeswoman Susan Hansen said, "We certainly have seen scattered instances of it throughout the Defense Department, but I don't have any overall assessment at this time. Our joint task force on computer network defense has this under consideration."

The White House said its systems had not been materially affected.

"Speaking just for the White House, the operations are running as normal," White House spokesman Joe Lockhart said during his regular press briefing early Thursday afternoon.

"I understand there are a few isolated cases that have been dealt with, but our cyber-security people dealt with this when they became aware of this this morning, and the operations are running smoothly
today, without any real impact from this most recent computer virus," he said.

"I think the government has responded quite quickly this morning," he said.

The virus did not spare state government systems. In Arkansas, it prompted a shutdown of most state e-mail systems at about 9 a.m. Thursday, said Mike Kent, operations specialist with the state's Department of Information Systems. State officials had first seen messages generated by the ILOVEYOU virus about two hours before, he said.

"We are scanning e-mail files, identifying those affected and deleting them," Kent said. In the first two hours of scanning, state employees had identified about 2,000 affected e-mail messages, he said. Arkansas officials said they expected to restore their systems to normal operation within 24 hours of the shutdown.

"It's too early to estimate the costs of the incident," Kent added. "What yardstick would you use?"

The virus also hit state systems in Missouri. Mike Benzen, state chief information officer, said the virus had brought down about a dozen of 40 e-mail networks, each for about a half an hour.

Systems administrators in Missouri worked to remove the virus from desktop systems where users had opened the virus attachment, Benzen said. That task that took about five minutes for each PC, he said. Only about 10 percent of the state's desktop computers were affected, he said.

"It was a nuisance," Benzen added. "It was unfortunate but there's not much you can do about it."

In Pennsylvania, the ILOVEYOU virus prompted three state agencies to shut down their e-mail systems: the governor's office, the Department of Corrections and the Pennsylvania Higher Education Assistance Authority.

Scott Elliot, spokesman for Pennsylvania's Office of Information Technology, said, "Our e-mail management team spotted it at 7:50 [a.m.], and by 8:02 [a.m.] they had sent notices to all employees warning them not to open the attachment. By 8:30 [a.m.], the team had developed a script to identify and quarantine the e-mails."

Pennsylvania state agencies operate some 40,000 desktop computers, he said.

The virus, first reported in Asia early Thursday morning, has the potential to overload e-mail servers, but there have been no reports of it destroying disks, as Melissa did in some cases.

The executable is titled "ILOVEYOU" or "LOVE-LETTER-FOR-YOU."

The FBI's National Infrastructure Protection Center has posted an advisory about the virus at www.fbi.gov/nipc/advis00-041.htm.

CERT is also updating its site regularly at www.cert.org/current/current_activity.html#loveletter.

- Shruti Date, Wilson Dizard, Christopher J. Dorobek and Tony Lee Orr contributed to this report.