Agencies fight off 'Melissa' macro virus

Federal agencies last week found themselves doing battle with a wildly proliferating computer virus dubbed "Melissa" that even managed to make its way on board a Navy ship. However, thanks in part to timely alerts and contingency planning, agencies managed to contain the damage.

The Melissa macro virus, which affects computers running Microsoft Corp.'s Word 97, Word 2000 and Outlook, began swarming across the Internet in late March, infecting mail servers across government agencies and throughout the public sector.

The federally funded Computer Emergency Response Team Coordination Center (CERT/CC), based at Carnegie Mellon University, issued a public warning to government agencies and to the general public immediately after Melissa was identified on March 26.

Still, the virus managed to infect a broad array of agency systems, including a Navy ship off the coast of Guam. But the CERT/CC's warning spurred agencies to take action, including updating anti-virus software on PCs, temporarily shutting down gateways to install filtering software and in some cases bringing systems down to purge them of Melissa-infected e-mail and to prevent the spread of the virus.

The exercise tested the ability of agencies to handle a threat such as Melissa, federal IT managers said.

"The response this time seemed to be very good," said Keith Thurston, assistant to the deputy associate administrator for information technology policy at the General Services Administration and a member of the Interoperability Committee of the CIO Council. "Not only did government managers perform well, the vendors cooperated very well. Each vendor had software patches available" almost immediately, he said.

Still, some of the larger government organizations, particularly in the Defense Department, were hit hard and ended up bringing down their e-mail servers for several days.

Melissa Signs On

The Melissa virus managed to spread into the Defense Department's worldwide classified intranet, FCW confirmed. A spokeswoman for the Joint Task Force for Computer Network Defense said DOD identified "one occurrence" of the virus ending up on a computer connected to the DOD Secret Internet Protocol Router Network, a highly secure network designed to carry highly sensitive traffic. But the spokeswoman declined to identify the location of that infected computer.

"This was a major concern from the beginning, and we worked hard to mitigate the threat by promptly informing our employees of the appropriate actions to take," the JTF-CND spokeswoman said.

The spokeswoman said DOD could not quantify the extent of the impact except to say that it was "widespread.... [But] the impact on DOD was minimized significantly because of the department's ability to quickly assess the situation and get out information and direction. For the first time, we were organized to be proactive rather than reactive."

The Army and the Air Force took their servers down servicewide for a weekend to purge them of any messages that might have contained the virus.

The Army was able to react very quickly to Melissa because one of the first Army users in the Pentagon to receive a malignant Melissa message was the assistant to the secretary of the Army, according to Col. John Deal, executive officer in the Office of the Director of Army Systems for Command, Control, Communications and Computers. Deal said he received a call from that assistant around 5 p.m. Friday, March 26, wanting to know "what the hell was going on" after receiving an e-mail containing a list of pornographic World Wide Web sites.

The fast-spreading virus also forced the Marine Corps to shut down its base-to-base e-mail communications through Tuesday, March 30, according to a Marine Corps spokeswoman.

While the Marine Corps maintained internal communications within each base, all base-to-base e-mail connectivity was shut down until network administrators felt comfortable that the appropriate security measures were taken, the spokeswoman said. Other Internet connections between bases were not affected.

Like DOD, the Department of Veterans Affairs, which is one of the largest users of Microsoft's Outlook in the country, with more than 60,000 users, also took down its e-mail system the day Melissa was discovered. The agency purged the system of any infected messages and had it back up and running smoothly on the following Monday.

To address the Melissa threat, VA officials at headquarters contacted vendors to get the appropriate patches and software to filter out the virus. Over the weekend after the virus was first identified, about 6,500 Melissa-tainted messages were caught, and by late last week, another estimated 3,500 had been isolated from the office's e-mail traffic.

The full extent of Melissa's effect at the VA is unclear because the agency, with close to 500 offices nationwide, is highly decentralized, said Allan Gohrband, the VA's associate deputy assistant secretary for IT policy and program assistance. But if a catastrophe had occurred, headquarters would have been notified, he said.

Agencies always should expect the unexpected and should not be afraid to take pre-emptive measures such as shutting down a system, Gohrband said. "I suspect there's nothing we can do other than keep our eyes open. A delay in the mail is much preferable than going back and trying to clean up."

The Energy Department, however, also had a potentially extensive problem to deal with. William Orvis, security specialist with DOE's Computer Incident Advisory Capability (CIAC) team, said one DOE site with 1,000 users, which he would not identify, was infected with the virus on March 26, "before we knew anything was happening."

Copies of the virus generated "hundreds" of internal e-mail messages before the office was able to install a patch from Sendmail Inc. to block them, according to the agency.

"I don't know that anything crashed dead because of [Melissa], but it slowed things down tremendously," Orvis said. By around noon Monday, March 29, after the filter was in place, the site had blocked 15,000 Melissa-generated messages. The patch "slowed it down enough so they could get the e-mail queues cleaned out and everyone disinfected," he said.

CIAC provides security warnings and technical assistance for DOE labs and offices. Its procedures for warning systems administrators about security breaches or viruses depend on the severity of the problem. With Melissa, CIAC worked until early Saturday morning - the day after the virus was discovered - to write a bulletin about Melissa and then called up DOE managers on Sunday to advise them of their options for preventing damage.

The Key to Containment

Communications proved to be the key to containing the virus at a number of agencies, where IT administrators controlled the virus before it became a serious problem.

By 7 a.m. the day after Melissa was discovered, the Computer Emergency Response Teams (CERTs) from each of the military services, as well as the central DOD CERT, posted advisory bulletins on their Web sites to alert employees about the virus, according to the JTF-CND spokeswoman.

The bulletins explained how the virus behaves, what signature files from Symantec Corp.'s Norton and McAfee Associates Inc.'s VirusScan anti-virus software are applicable and what should be done with an infected file. DOD agencies also used electronic banners to alert employees as soon as they logged on to their computers.

The USS Blue Ridge, operating 20 miles off the coast of Guam, managed to stop Melissa before it spread after receiving an alert from the Navy's Fleet Information Warfare Center.

The ship's IT staff identified three e-mail messages that had the virus and isolated them before they spread throughout the ship's unclassified local-area network, which hosts 1,600 e-mail accounts, said Dennis Kaida, a network and systems engineer from the Navy's Space and Naval Warfare Systems Command who is temporarily assigned to the Blue Ridge.

Kaida said that by the time the 7th Fleet network staff had isolated the e-mails containing the virus, the network crew had gone to the Symantec home page and downloaded Norton AntiVirus software that works against the Melissa virus.

As word about the virus spread, both the CERT/CC and the Federal Computer Incident Response Capability played a vital role in advising agencies.

FedCIRC, which helps agencies prevent and recover from technology-related security attacks, fielded phone calls about Melissa, said Judith Spencer, director of the Center for Governmentwide Security at GSA. And the FedCIRC and CERT/CC Web sites got more than 1 million hits combined on March 29 alone, she said.

FedCIRC and the entire infrastructure protection system team will evaluate their response to the virus and see "how we did and what we missed," Spencer said. One lesson already learned is that having different e-mail standards throughout the government can help. "The diversity of e-mail clients, in this case, kind of saved our bacon," she said.

Centralized e-mail management also can help control situations such as Melissa, some agencies found. For example, the Transportation Department uses Control Data Systems Inc.'s Mail*Hub suite of products to send all messages through a single Unix-based system and to provide an X.500 directory service that ties the department together.

DOT received a Simple Mail Transfer Protocol filter from Control Data that trapped about 40 incoming Melissa-

infected messages, said Eric Baldwin, senior e-mail systems administrator at DOT. Because most of the department's e-mail traffic flows through Mail*Hub first, viruses are more easily controlled and problems pinpointed, Baldwin said. In addition, Mail*Hub already has filtering and anti-virus software incorporated into it to weed out viruses early on.

Altogether, as of late last week, the CERT/CC reported that more than 300 organizations and 100,000 individual hosts were affected by Melissa. Microsoft shut down all outgoing mail messages until it removed the virus from its system and made users aware of the ability to disable the macro function in Word to prevent infection by a macro virus such as Melissa. A joint investigation by the FBI and New Jersey state police resulted in an arrest last Thursday of a suspect who was charged with originating the virus.