Microsoft KB Archive/821749

= Antivirus software may cause IIS to stop unexpectedly =

Article ID: 821749

Article Last Modified on 12/3/2007

-

APPLIES TO


 * Microsoft Internet Information Server 4.0
 * Microsoft Internet Information Services 5.0
 * Microsoft Internet Information Services 5.1
 * Microsoft Internet Information Services 6.0

-



We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx



SYMPTOMS
On the server that is running Internet Information Services (IIS), the IIS Admin service may stop unexpectedly or crash, and your antivirus software may report that your computer has been infected with the Code Red worm even though you installed security updates to help prevent this worm. The following error messages may be logged in the System event log: Event Type: Error

Event Source: Service Control Manager

Event ID: 7031

The IIS Admin Service service terminated unexpectedly. It has done this  time(s). The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.

Event Type: Error

Event Source: Service Control Manager

Event ID: 7031

The World Wide Web Publishing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Event Type: Error

Event Source: Service Control Manager

Event ID: 7031

The Simple Mail Transport Protocol (SMTP) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Event Type: Error

Event Source: Service Control Manager

Event ID: 7031

The FTP Publishing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.

Event Type: Error

Event Source: Service Control Manager

Event ID: 7031

Description: The Network News Transport Protocol (NNTP) service terminated unexpectedly. It has done this  time(s). The following corrective action will be taken in 0 milliseconds: No action.



CAUSE
This problem occurs because the antivirus software detects Code Red worm requests, including .ida file requests, to the World Wide Web Publishing Service. The antivirus software acts as if the server has been infected with the worm, causing the IIS Admin service to crash or close unexpectedly.

This problem can occur with McAfee antivirus software that is running a signature before 4266.



RESOLUTION
To resolve this problem, contact your antivirus software manufacturer for an updated signature file. If you are using McAfee antivirus software, update the signature to 4266 or later.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.



MORE INFORMATION
Even after you apply the IIS security update MS01-044, IIS still receives HTTP requests that other virus-infected computers send. These requests then return an error, such as HTTP 500 or HTTP 404, depending on the IIS configuration. You can review the IIS logs to see the requests and the errors that IIS returns.

For more information about IIS 5.0 logging, click the following article number to view the article in the Microsoft Knowledge Base:

300390 How to enable IIS logging site activity in Windows 2000

For more information about Code Red and securing your IIS server, click the following article number to view the article in the Microsoft Knowledge Base:

301625 MS01-044: Patch available for SSI privilege elevation vulnerability

For more information about security tools and checklists, visit the following Microsoft Web sites:

http://www.microsoft.com/technet/security/tools/default.mspx

https://www.microsoft.com/technet/archive/security/chklist/iis5cl.mspx

Additional query words: iis 4.0 iis 5.0 iis 5.1 iis 6.0 codered coderedII code red II nimda mcaffee av anti-virus anti virus ida idq

Keywords: kbprb KB821749

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.