Antivirus software may cause IIS to stop unexpectedly (821749)

We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:

http://www.microsoft.com/technet/security/prodtech/IIS.mspx

SYMPTOMS

On the server that is running Internet Information Services (IIS), the IIS Admin service may stop unexpectedly or crash, and your antivirus software may report that your computer has been infected with the Code Red worm even though you installed security updates to help prevent this worm. The following error messages may be logged in the System event log:Event Type: Error
Event Source: Service Control Manager
Event ID: 7031
The IIS Admin Service service terminated unexpectedly. It has done this X time(s). The following corrective action will be taken in 1 milliseconds: Run the configured recovery program.Event Type: Error
Event Source: Service Control Manager
Event ID: 7031
The World Wide Web Publishing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.Event Type: Error
Event Source: Service Control Manager
Event ID: 7031
The Simple Mail Transport Protocol (SMTP) service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.Event Type: Error
Event Source: Service Control Manager
Event ID: 7031
The FTP Publishing Service service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: No action.Event Type: Error
Event Source: Service Control Manager
Event ID: 7031
Description: The Network News Transport Protocol (NNTP) service terminated unexpectedly. It has done this X time(s). The following corrective action will be taken in 0 milliseconds: No action.

CAUSE

This problem occurs because the antivirus software detects Code Red worm requests, including .ida file requests, to the World Wide Web Publishing Service. The antivirus software acts as if the server has been infected with the worm, causing the IIS Admin service to crash or close unexpectedly.

This problem can occur with McAfee antivirus software that is running a signature before 4266.

RESOLUTION

To resolve this problem, contact your antivirus software manufacturer for an updated signature file. If you are using McAfee antivirus software, update the signature to 4266 or later.

The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, regarding the performance or reliability of these products.

MORE INFORMATION

Even after you apply the IIS security update MS01-044, IIS still receives HTTP requests that other virus-infected computers send. These requests then return an error, such as HTTP 500 or HTTP 404, depending on the IIS configuration. You can review the IIS logs to see the requests and the errors that IIS returns.

For more information about IIS 5.0 logging, click the following article number to view the article in the Microsoft Knowledge Base:

300390 How to enable IIS logging site activity in Windows 2000

For more information about Code Red and securing your IIS server, click the following article number to view the article in the Microsoft Knowledge Base:

301625 MS01-044: Patch available for SSI privilege elevation vulnerability

For more information about security tools and checklists, visit the following Microsoft Web sites:

http://www.microsoft.com/technet/security/tools/default.mspx

https://www.microsoft.com/technet/archive/security/chklist/iis5cl.mspx