Article ID: 871277 - View products that this article applies to.
INTRODUCTIONMicrosoft teams are investigating a report of a security issue that affects customers who are using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer. IIS and Internet Explorer are components of Windows.
Reports indicate that Web servers that are running Windows 2000 Server and IIS are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code if either of the following conditions are true:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspxThis article describes how to determine if your Windows 2000-based computer that runs IIS 5.0 is compromised by Download.Ject. This article also describes how to recover from this infection.
This article describes how administrators can determine if a Microsoft Windows 2000-based computer that is running IIS 5.0 is compromised with malicious code that exploits a vulnerability that is addressed in Microsoft Security Bulletin MS04-011 (835732).
How to determine if your Windows 2000 server is compromisedTo determine if your server is infected with Download.Ject, use one of the following methods:
Method 1: Check document footers on the IIS server
Method 2: Determine if any of the following files exist in the specified foldersIf the following files exist on the computer, the computer is compromised:
Date Time Size File name ----------------------------------------- 06/22/2004 07:23a 9,760 Agent.exe 06/22/2004 07:23a 31 Ftpcmd.txt
Note The date and time that are listed for the files may differ.
Date Time Size File name ----------------------------------------- 06/22/2004 07:23a 838 iis72f.dll 06/22/2004 07:23a 838 iis72c.dll 06/22/2004 07:23a 838 iis736.dll 06/22/2004 07:23a 838 iis733.dll 06/22/2004 07:23a 838 iis722.dll 06/22/2004 07:23a 838 iis71f.dll 06/22/2004 07:23a 838 iis729.dll 06/22/2004 07:23a 838 iis726.dll 06/22/2004 07:23a 838 iis74a.dll 06/22/2004 07:23a 838 iis746.dll
How to recover from the compromiseNote Microsoft believes that if you installed the updates for MS04-011 manually or by using Automatic Updates before April 25, 2004, and you have restarted your computer, you are already protected against this issue. If you find that your computer has been compromised, please contact Microsoft Product Support Services (PSS) immediately. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMSFor information about how to recover from this compromise, visit the following Web sites:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.htmlFor additional information, click the following article number to view the article in the Microsoft Knowledge Base:
873018You can manually remove the files that are part of this compromise. To do this, follow these steps.
(http://support.microsoft.com/kb/873018/ )Download.Ject Payload Detection and Removal Tool
Note If your server has been compromised, we strongly recommend that you rebuild the server.