Article ID: 871277
Article Last Modified on 11/21/2006
APPLIES TO
- Microsoft Internet Information Services 5.0, when used with:
- Microsoft Windows 2000 Standard Edition
SUMMARY
This article describes how administrators can determine if a Microsoft Windows 2000-based computer that is running IIS 5.0 is compromised with malicious code that exploits a vulnerability that is addressed in Microsoft Security Bulletin MS04-011 (835732).
INTRODUCTION
Microsoft teams are investigating a report of a security issue that affects customers who are using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer. IIS and Internet Explorer are components of Windows.
Reports indicate that Web servers that are running Windows 2000 Server and IIS are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code if either of the following conditions are true:
- Update 835732 (fixed in Microsoft Security Bulletin MS04-011) has not been applied.
- Update 835732 has been applied, but the computer has not been restarted.
For more information about update 835732, review Microsoft Security Bulletin MS04-011 at:
This article describes how to determine if your Windows 2000-based computer that runs IIS 5.0 is compromised by Download.Ject. This article also describes how to recover from this infection.
MORE INFORMATION
How to determine if your Windows 2000 server is compromised
To determine if your server is infected with Download.Ject, use one of the following methods:
- Click Start, and then click Run.
- In the Open box, type the following, and then click OK:
%SystemRoot%\System32\inetsrv\iis.msc
- In the IIS MMC, expand
Computer_Name
(local computer), and then expand Web Sites.
NoteComputer_Name
is a placeholder for the name of your computer. - Right-click a Web site, and then click Properties.
- Click the Documents tab, and then locate the Enable document footer check box. You may be infected with Download.Ject if the Enable document footer check box is selected and the path to the document footer file points to a file that has a name that is similar to %Systemroot%\Winnt\System32\Inetsrv\Iis<3 random digits>.dll.
Method 2: Determine if any of the following files exist in the specified folders
If the following files exist on the computer, the computer is compromised:
%Systemroot%\System32
Date Time Size File name ----------------------------------------- 06/22/2004 07:23a 9,760 Agent.exe 06/22/2004 07:23a 31 Ftpcmd.txt
%Systemroot%\System32\inetsrv
Date Time Size File name ----------------------------------------- 06/22/2004 07:23a 838 iis72f.dll 06/22/2004 07:23a 838 iis72c.dll 06/22/2004 07:23a 838 iis736.dll 06/22/2004 07:23a 838 iis733.dll 06/22/2004 07:23a 838 iis722.dll 06/22/2004 07:23a 838 iis71f.dll 06/22/2004 07:23a 838 iis729.dll 06/22/2004 07:23a 838 iis726.dll 06/22/2004 07:23a 838 iis74a.dll 06/22/2004 07:23a 838 iis746.dll
Note The date and time that are listed for the files may differ.
How to recover from the compromise
Note Microsoft believes that if you installed the updates for MS04-011 manually or by using Automatic Updates before April 25, 2004, and you have restarted your computer, you are already protected against this issue. If you find that your computer has been compromised, please contact Microsoft Product Support Services (PSS) immediately. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
For information about how to recover from this compromise, visit the following Web sites:
http://www.cert.org/tech_tips/win-UNIX-system_compromise.html
http://www.microsoft.com/technet/security/prodtech/iis.mspx
http://www.microsoft.com/technet/security/secnews/articles/gothacked.mspx
For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
873018 Download.Ject Payload Detection and Removal Tool
You can manually remove the files that are part of this compromise. To do this, follow these steps.
Note If your server has been compromised, we strongly recommend that you rebuild the server.
- To help protect your computer against Download.Ject, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 listed in the Critical Updates and Service Packs section of the Windows Update Web site. You can also download and install this update manually from the Microsoft.com Download Center. To find the download for your operating system, see Technical Security Bulletin MS04-011.
- After you install the security update, delete the following files:
- %windir%\System32\Adv.vbs
- %windir%\System32\Ftpcmd.txt
- %windir%\System32\Agent.exe
- %windir%\System32\Ads.vbs
- %windir%\System32\Inetsrv\Iis<3 random digits>.dll
- Remove the document footer:
- Click Start, and then click Run.
- In the Open box, type the following, and then click OK:
%SystemRoot%\System32\inetsrv\iis.msc
- In the IIS MMC, expand
Computer_Name
(local computer), and then expand Web Sites.
NoteComputer_Name
is a placeholder for the name of your computer. - Right-click a Web site, and then click Properties.
- On the Documents tab, click to clear the Enable document footer check box, or specify the path to your document footer file in the text box.
- Click OK.
- Repeat steps d, e, and f for any additional Web sites that are configured on the local computer.
Additional query words: Download.Ject JS.Scob.Trojan Scob JS/Scob-A Webber.p Js.toofer infected infect
Keywords: kbinfo kbsecvulnerability kbsecurity kbvirus kbpubtypekc KB871277