Love Bug took a bite out of agencies' e-mail systems

By GCN StaffGovernment information technology administrators scrambled to respond to the ILOVEYOU worm that spread around the world this month. Despite a barrage of thousands of infected e-mail messages, they managed to avoid serious trouble.'The virus is on our computers, but it has not affected daily business,' Social Security Administration spokesman Mark Hinkle said early on May 4, when the virus began spreading in the United States.SSA took its e-mail system offline. Although the e-mail portal on the agency's Web site was disabled, the rest of the site remained operational, Hinkle said.'We have it under control, but there has been an impact on productivity,' said Craig Luigart, chief information officer at the Education Department. 'It's a CIO's nightmare.'Luigart learned of the attack by 7:45 a.m. on May 4, 'when it was already inside the system,' he said. Of hundreds of employees who received the message, 17 launched it. The department's e-mail system was up and down all day as workers accidentally caused reinfestation by opening the attachment, he said.Almost as quickly as the virus spread through Asia, Europe and North America, investigators traced its route back to the Philippines. The FBI and Philippine authorities quickly identified the computer they believed was the source, and by May 9 they were questioning suspects.The federally funded CERT Coordination Center at Carnegie Mellon University described ILOVEYOU as a worm that replicates itself via e-mail, Internet chat programs and infected files. Written in Visual Basic, it arrives as an attachment to an e-mail with the subject line 'ILOVEYOU' or some enticing variant. When the attachment is executed on a PC running Microsoft Windows and Internet Explorer 5.0, the worm uses the Microsoft Outlook address book to send out copies of itself.It also searches for and overwrites files with the extensions .jpg, .vbs, .js, .jse, .css, .wsh, .sct, .hta, .mp3 and .mp2. If an Internet relay chat client is installed, the worm generates a Hypertext Markup Language file to infect other IRC users in a chat room.Antivirus vendors rapidly identified signatures for the infection and updated their files within hours of the discovery. Users jammed the vendors' Web sites looking for information and trying to download updated signature files.Because of its ability to spread to all listings in an address book, ILOVEYOU got around fast. Security adviser ICSA.net of Reston, Va., estimated it had infected more than 1 million computers by 9 a.m EST on May 4, doing more than $100 million worth of damage.Damage from such viruses is difficult to estimate, but ICSA.net predicted total costs for the outbreak could top $1 billion.On Capitol Hill, the House Information Resources office implemented a server rule after hundreds of affected e-mails came in. HIR's server scanned e-mail subject lines every 15 minutes and rejected messages with the worm's subject line.Corinne Zaccagnini, CIO of the House Government Reform Committee, said she used a client scanning system to catch affected messages that had made it past the HIR scan.HIR posted a warning on its intranet at 7:55 a.m. and sent out a broadcast voice mail to House users. Zaccagnini also posted signs at building entrances urging users to delete the messages.In the Senate, which uses Lotus cc:Mail, the worm made little headway, said Tracy Williams, director of technology development in the Office of the Sergeant at Arms. The Immigration and Naturalization Service reported infected .jpg files on a headquarters server but did not shut it down. Systems at the Commerce and State departments were unaffected, but the Health and Human Services Department received several thousand infected messages per hour at the height of the attack. Staff members were warned by voice mail about the worm.The White House received some copies of the virus but was not materially affected, spokesman Joe Lockhart said. The Federal Reserve, Coast Guard, Pentagon, Marine Corps and other Defense Department sites also reported infections.State governments were not spared. Arkansas shut down most state e-mail systems about 9 a.m. and began scanning e-mail files after that, said Mike Kent, operations specialist for the Information Systems Department. About 2,000 affected messages appeared within the first two hours, he said.In Missouri, state CIO Mike Benzen said the virus brought down about a dozen of 40 e-mail networks for about half an hour each. Benzen called the outbreak a nuisance and said about 10 percent of the state's desktop systems were affected.In Pennsylvania, the virus prompted the governor's office, the Corrections Department and the Higher Education Assistance Authority to shut down e-mail systems. The e-mail management team in the state's IT office spotted the virus at 7:50 a.m., notified employees by 8:02 a.m., and had developed a script to recognize and quarantine the e-mail messages by 8:30 a.m.