Microsoft KB Archive/871277

= Internet Information Services (IIS) 5.0 – Download.Ject detection and recovery advisory =

Article ID: 871277

Article Last Modified on 11/21/2006

-

APPLIES TO


 * Microsoft Internet Information Services 5.0, when used with:
 * Microsoft Windows 2000 Standard Edition

-



SUMMARY
This article describes how administrators can determine if a Microsoft Windows 2000-based computer that is running IIS 5.0 is compromised with malicious code that exploits a vulnerability that is addressed in Microsoft Security Bulletin MS04-011 (835732).



INTRODUCTION
Microsoft teams are investigating a report of a security issue that affects customers who are using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer. IIS and Internet Explorer are components of Windows.

Reports indicate that Web servers that are running Windows 2000 Server and IIS are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code if either of the following conditions are true:
 * Update 835732 (fixed in Microsoft Security Bulletin MS04-011) has not been applied.
 * Update 835732 has been applied, but the computer has not been restarted.

For more information about update 835732, review Microsoft Security Bulletin MS04-011 at:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

This article describes how to determine if your Windows 2000-based computer that runs IIS 5.0 is compromised by Download.Ject. This article also describes how to recover from this infection.



How to determine if your Windows 2000 server is compromised
To determine if your server is infected with Download.Ject, use one of the following methods:

Method 1: Check document footers on the IIS server
 Click Start, and then click Run. In the Open box, type the following, and then click OK:

%SystemRoot%\System32\inetsrv\iis.msc

 In the IIS MMC, expand  (local computer), and then expand Web Sites.

Note is a placeholder for the name of your computer. Right-click a Web site, and then click Properties. Click the Documents tab, and then locate the Enable document footer check box. You may be infected with Download.Ject if the Enable document footer check box is selected and the path to the document footer file points to a file that has a name that is similar to %Systemroot%\Winnt\System32\Inetsrv\Iis .dll.

Method 2: Determine if any of the following files exist in the specified folders
If the following files exist on the computer, the computer is compromised:

%Systemroot%\System32 Date       Time     Size     File name - 06/22/2004 07:23a   9,760    Agent.exe 06/22/2004 07:23a      31    Ftpcmd.txt %Systemroot%\System32\inetsrv <pre class="fixed_text">Date       Time       Size    File name - 06/22/2004 07:23a     838     iis72f.dll 06/22/2004 07:23a     838     iis72c.dll 06/22/2004 07:23a     838     iis736.dll 06/22/2004 07:23a     838     iis733.dll 06/22/2004 07:23a     838     iis722.dll 06/22/2004 07:23a     838     iis71f.dll 06/22/2004 07:23a     838     iis729.dll 06/22/2004 07:23a     838     iis726.dll 06/22/2004 07:23a     838     iis74a.dll 06/22/2004 07:23a     838     iis746.dll Note The date and time that are listed for the files may differ.

How to recover from the compromise
Note Microsoft believes that if you installed the updates for MS04-011 manually or by using Automatic Updates before April 25, 2004, and you have restarted your computer, you are already protected against this issue. If you find that your computer has been compromised, please contact Microsoft Product Support Services (PSS) immediately. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[LN;CNTACTMS]

For information about how to recover from this compromise, visit the following Web sites:

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

http://www.microsoft.com/technet/security/prodtech/iis.mspx

http://www.microsoft.com/technet/security/secnews/articles/gothacked.mspx

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

873018 Download.Ject Payload Detection and Removal Tool

You can manually remove the files that are part of this compromise. To do this, follow these steps.

Note If your server has been compromised, we strongly recommend that you rebuild the server.  To help protect your computer against Download.Ject, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 listed in the Critical Updates and Service Packs section of the Windows Update Web site. You can also download and install this update manually from the Microsoft.com Download Center. To find the download for your operating system, see Technical Security Bulletin MS04-011.</li> After you install the security update, delete the following files: <ul> %windir%\System32\Adv.vbs</li> %windir%\System32\Ftpcmd.txt</li> %windir%\System32\Agent.exe</li> %windir%\System32\Ads.vbs</li> %windir%\System32\Inetsrv\Iis .dll</li></ul> </li> Remove the document footer:  Click Start, and then click Run.</li> In the Open box, type the following, and then click OK:

%SystemRoot%\System32\inetsrv\iis.msc

</li> In the IIS MMC, expand  (local computer), and then expand Web Sites.

Note is a placeholder for the name of your computer.</li> Right-click a Web site, and then click Properties.</li> On the Documents tab, click to clear the Enable document footer check box, or specify the path to your document footer file in the text box.</li> Click OK.</li> <li>Repeat steps d, e, and f for any additional Web sites that are configured on the local computer.</li></ol> </li></ol>

Additional query words: Download.Ject JS.Scob.Trojan Scob JS/Scob-A Webber.p Js.toofer infected infect

Keywords: kbinfo kbsecvulnerability kbsecurity kbvirus kbpubtypekc KB871277

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.