Anne Arundel is back online after virus hits

An Internet virus that has bedeviled media outlets across the country forced Anne Arundel County to shut down more than 2,000 computers this week, sending technicians on a furious race to contain the outbreak and produce payroll checks for county employees.

The fast-mutating virus, known as Rinbot, disrupted operations at the Turner Broadcasting System last week, then attacked computers at The Boston Globe and almost all of the McClatchy Co.'s 32 newspapers.


The malicious software, which takes command of PCs and can turn them into "zombies" that attack other systems or send out millions of spam e-mails, turned up in Anne Arundel County on Wednesday.

Officials said technical-support staff began receiving scattered reports Wednesday morning of PCs that started up slowly and displayed repeating symbols and numbers where text was supposed to appear.


Realizing that a virus was on the loose, administrators shut down much of the county's non-emergency network to keep the virus from spreading.

Bill Ryan, the county's information technology officer, said the county was cleaning up infected computers with software provided by Symantec, the Cupertino, Calif., security firm that is paid $70,000 a year to protect Anne Arundel's computers from these kinds of attacks.

He said some computers began coming online at 11 a.m. yesterday - about 24 hours after IT workers shut down the system.

Officials so far have been unable to detect the source of the virus.

So far, no other governments in the Baltimore area have reported similar infections. Several, including Howard, Carroll and Harford counties, use the same corporate Symantec security software.

Payroll first

Anne Arundel officials said their technical staff moved first to restore payroll computers, along with those that perform non-essential recordkeeping for the police and fire departments.

But for the better part of two days, hundreds of forms for bills, permits and document requests that would normally be filled out electronically in county offices were done by hand.


"County residents should not have known any difference," said county spokeswoman Rhonda Wardlaw. "County government employees understand the reality of what we needed to do to keep government running."

Ryan said the county's overall network did not crash and at no time was Anne Arundel's emergency operations system - which comprises about 2,000 computers - affected. The county's Web site remained online.

Ryan said his staff is moving cautiously with software fixes to prevent a mutated form of the virus from being introduced. Asked whether the computers could be back online today, he said: "It's too early for me to say that, in all honesty."

Still unresolved is how the virus pierced the county's defenses. Security experts say the first version, attributed to an unknown hacker with an apparent grudge against Symantec, appeared last year and targeted a flaw in the company's security software.


Once Symantic analyzed the virus, it released a "patch" in the spring of 2006 and urged network administrators across the country to install the software.


When the virus surfaced again last week in the Turner network, parent of CNN, and McClatchy newspaper computers, it appeared to target some machines that had never been patched or that were running old versions of Microsoft Windows that couldn't be patched.

"The variations of that we're seeing now still exploit the same vulnerability against which Symantec provided an update," said Ron O'Brien, a security analyst for Sophos, a Massachusetts-based network security company that competes with Symantec.

Others aren't so sure. Ryan said the county had applied all of Symantec's patches on time, and a Symantec spokesman said he did not know whether previous software patches would have protected against this version of the virus, known as Win32.Rinbot.Y.

"Thousands of viruses come out every day," said Ryan. "Sometimes there's a remedy for them; sometimes ... we don't have a remedy for them, which was the case."

Sophos' O'Brien said the virus, which his company calls Delbot, is mutating rapidly, with seven identified variants this week and five last week.

Clay Myers, information technology director at McClatchy's Tri-City Herald in Kennewick, Wash., where the virus struck Feb. 27, said he's still worried.


"I've got a bad feeling about what this could do everywhere else," he said. "We've got strong defenses here, and we had all the most recent updates from Symantec and everywhere else."

A few years ago, O'Brien said, most invaders such as Rinbot/Delbot were spread through e-mail attachments. When users opened them, thinking they were looking at a photo or some other document, they were running malicious programs.

However, e-mail filters have become so proficient at screening out viruses that hackers are increasingly luring victims by sending messages with links to Web pages that automatically transmit virus-laden software to unprotected computers.

Sun reporters Laura McCandlish, Brad Olson, Justin Fenton and Mike Himowitz contributed to this article.