Internet Information Services (IIS) 5.0 – Download.Ject detection and recovery advisory

Article translations Article translations
Article ID: 871277 - View products that this article applies to.
INTRODUCTION
Microsoft teams are investigating a report of a security issue that affects customers who are using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer. IIS and Internet Explorer are components of Windows.

Reports indicate that Web servers that are running Windows 2000 Server and IIS are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code if either of the following conditions are true:
  • Update 835732 (fixed in Microsoft Security Bulletin MS04-011) has not been applied.
  • Update 835732 has been applied, but the computer has not been restarted.
For more information about update 835732, review Microsoft Security Bulletin MS04-011 at:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx
This article describes how to determine if your Windows 2000-based computer that runs IIS 5.0 is compromised by Download.Ject. This article also describes how to recover from this infection.
Expand all | Collapse all

On This Page

SUMMARY

This article describes how administrators can determine if a Microsoft Windows 2000-based computer that is running IIS 5.0 is compromised with malicious code that exploits a vulnerability that is addressed in Microsoft Security Bulletin MS04-011 (835732).

MORE INFORMATION

How to determine if your Windows 2000 server is compromised

To determine if your server is infected with Download.Ject, use one of the following methods:

Method 1: Check document footers on the IIS server

  1. Click Start, and then click Run.
  2. In the Open box, type the following, and then click OK:
    %SystemRoot%\System32\inetsrv\iis.msc
  3. In the IIS MMC, expand Computer_Name (local computer), and then expand Web Sites.

    Note Computer_Name is a placeholder for the name of your computer.
  4. Right-click a Web site, and then click Properties.
  5. Click the Documents tab, and then locate the Enable document footer check box. You may be infected with Download.Ject if the Enable document footer check box is selected and the path to the document footer file points to a file that has a name that is similar to %Systemroot%\Winnt\System32\Inetsrv\Iis<3 random digits>.dll.

Method 2: Determine if any of the following files exist in the specified folders

If the following files exist on the computer, the computer is compromised:

%Systemroot%\System32
Date        Time     Size     File name
-----------------------------------------
06/22/2004  07:23a   9,760    Agent.exe
06/22/2004  07:23a      31    Ftpcmd.txt
%Systemroot%\System32\inetsrv
Date        Time       Size    File name
-----------------------------------------
06/22/2004  07:23a     838     iis72f.dll
06/22/2004  07:23a     838     iis72c.dll
06/22/2004  07:23a     838     iis736.dll
06/22/2004  07:23a     838     iis733.dll
06/22/2004  07:23a     838     iis722.dll
06/22/2004  07:23a     838     iis71f.dll
06/22/2004  07:23a     838     iis729.dll
06/22/2004  07:23a     838     iis726.dll
06/22/2004  07:23a     838     iis74a.dll
06/22/2004  07:23a     838     iis746.dll
Note The date and time that are listed for the files may differ.

How to recover from the compromise

Note Microsoft believes that if you installed the updates for MS04-011 manually or by using Automatic Updates before April 25, 2004, and you have restarted your computer, you are already protected against this issue. If you find that your computer has been compromised, please contact Microsoft Product Support Services (PSS) immediately. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS
For information about how to recover from this compromise, visit the following Web sites:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

http://technet.microsoft.com/en-us/library/dd450371.aspx

http://technet.microsoft.com/en-us/library/cc700813.aspx
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
873018 Download.Ject Payload Detection and Removal Tool
You can manually remove the files that are part of this compromise. To do this, follow these steps.

Note If your server has been compromised, we strongly recommend that you rebuild the server.
  1. To help protect your computer against Download.Ject, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 listed in the Critical Updates and Service Packs section of the Windows Update Web site. You can also download and install this update manually from the Microsoft.com Download Center. To find the download for your operating system, see Technical Security Bulletin MS04-011.
  2. After you install the security update, delete the following files:
    • %windir%\System32\Adv.vbs
    • %windir%\System32\Ftpcmd.txt
    • %windir%\System32\Agent.exe
    • %windir%\System32\Ads.vbs
    • %windir%\System32\Inetsrv\Iis<3 random digits>.dll
  3. Remove the document footer:
    1. Click Start, and then click Run.
    2. In the Open box, type the following, and then click OK:
      %SystemRoot%\System32\inetsrv\iis.msc
    3. In the IIS MMC, expand Computer_Name (local computer), and then expand Web Sites.

      Note Computer_Name is a placeholder for the name of your computer.
    4. Right-click a Web site, and then click Properties.
    5. On the Documents tab, click to clear the Enable document footer check box, or specify the path to your document footer file in the text box.
    6. Click OK.
    7. Repeat steps d, e, and f for any additional Web sites that are configured on the local computer.

Properties

Article ID: 871277 - Last Review: November 21, 2006 - Revision: 3.5
APPLIES TO
  • Microsoft Internet Information Services 5.0, when used with:
    • the operating system: Microsoft Windows 2000
Keywords: 
kbpubtypekc kbvirus kbsecvulnerability kbsecurity kbinfo KB871277

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com