Internet Information Services (IIS) 5.0 - Download.Ject detection and recovery advisory (871277)

INTRODUCTION

Microsoft teams are investigating a report of a security issue that affects customers who are using Microsoft Internet Information Services 5.0 (IIS) and Microsoft Internet Explorer. IIS and Internet Explorer are components of Windows.

Reports indicate that Web servers that are running Windows 2000 Server and IIS are possibly being compromised and being used to attempt to infect users of Internet Explorer with malicious code if either of the following conditions are true:

Update 835732 (fixed in Microsoft Security Bulletin MS04-011) has not been applied.
Update 835732 has been applied, but the computer has not been restarted.

For more information about update 835732, review Microsoft Security Bulletin MS04-011 at:

http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

This article describes how to determine if your Windows 2000-based computer that runs IIS 5.0 is compromised by Download.Ject. This article also describes how to recover from this infection.

MORE INFORMATION

How to determine if your Windows 2000 server is compromised

To determine if your server is infected with Download.Ject, use one of the following methods:

Method 1: Check document footers on the IIS server

Click Start, and then click Run.
In the Open box, type the following, and then click OK:
%SystemRoot%\System32\inetsrv\iis.msc
In the IIS MMC, expand Computer_Name (local computer), and then expand Web Sites.

Note Computer_Name is a placeholder for the name of your computer.
Right-click a Web site, and then click Properties.
Click the Documents tab, and then locate the Enable document footer check box. You may be infected with Download.Ject if the Enable document footer check box is selected and the path to the document footer file points to a file that has a name that is similar to %Systemroot%\Winnt\System32\Inetsrv\Iis<3 random digits>.dll.

Method 2: Determine if any of the following files exist in the specified folders

If the following files exist on the computer, the computer is compromised:

%Systemroot%\System32

Date        Time     Size     File name
-----------------------------------------
06/22/2004  07:23a   9,760    Agent.exe
06/22/2004  07:23a      31    Ftpcmd.txt

%Systemroot%\System32\inetsrv

Date        Time       Size    File name
-----------------------------------------
06/22/2004  07:23a     838     iis72f.dll
06/22/2004  07:23a     838     iis72c.dll
06/22/2004  07:23a     838     iis736.dll
06/22/2004  07:23a     838     iis733.dll
06/22/2004  07:23a     838     iis722.dll
06/22/2004  07:23a     838     iis71f.dll
06/22/2004  07:23a     838     iis729.dll
06/22/2004  07:23a     838     iis726.dll
06/22/2004  07:23a     838     iis74a.dll
06/22/2004  07:23a     838     iis746.dll

Note The date and time that are listed for the files may differ.

How to recover from the compromise

Note Microsoft believes that if you installed the updates for MS04-011 manually or by using Automatic Updates before April 25, 2004, and you have restarted your computer, you are already protected against this issue. If you find that your computer has been compromised, please contact Microsoft Product Support Services (PSS) immediately. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:

http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMS

For information about how to recover from this compromise, visit the following Web sites:

http://www.cert.org/tech_tips/win-UNIX-system_compromise.html

http://www.microsoft.com/technet/security/prodtech/iis.mspx

http://www.microsoft.com/technet/security/secnews/articles/gothacked.mspx

For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

873018 Download.Ject Payload Detection and Removal Tool

You can manually remove the files that are part of this compromise. To do this, follow these steps.

Note If your server has been compromised, we strongly recommend that you rebuild the server.

To help protect your computer against Download.Ject, you must first download and install security update 835732, which was released with Microsoft Security Bulletin MS04-011. You can find update 835732 listed in the Critical Updates and Service Packs section of the Windows Update Web site. You can also download and install this update manually from the Microsoft.com Download Center. To find the download for your operating system, see Technical Security Bulletin MS04-011.
After you install the security update, delete the following files:
- %windir%\System32\Adv.vbs
- %windir%\System32\Ftpcmd.txt
- %windir%\System32\Agent.exe
- %windir%\System32\Ads.vbs
- %windir%\System32\Inetsrv\Iis<3 random digits>.dll
Remove the document footer:
1. Click Start, and then click Run.
2. In the Open box, type the following, and then click OK:
  %SystemRoot%\System32\inetsrv\iis.msc
3. In the IIS MMC, expand Computer_Name (local computer), and then expand Web Sites.
  
  Note Computer_Name is a placeholder for the name of your computer.
4. Right-click a Web site, and then click Properties.
5. On the Documents tab, click to clear the Enable document footer check box, or specify the path to your document footer file in the text box.
6. Click OK.
7. Repeat steps d, e, and f for any additional Web sites that are configured on the local computer.