As the Code Red II worm spread across the Internet last week, users reported that their Web systems were suffering Denial of Service (DoS) attacks--even after they had installed the IIS patch Microsoft recommends in bulletin MS01-033.
Careful examination of Web logs revealed that the DoS attacks were related to the IIS URL-redirection feature that lets users direct a URL to another site on a different server. The Code Red II worm tries to infect a server by sending a malformed URL that contains a specialized character string. When IIS encounters this malformed URL during the URL redirection, the FTP, Web, proxy, and other IIS-related services stop responding.
Users notified Microsoft about the problem, and the company posted a message on its Web site last week. According to the message, the patch associated with bulletin MS01-033 is unrelated to the DoS attacks. Microsoft says that the Code Red II worm generates a particular malformed request that causes IIS services to stop. The company is working on a hotfix to correct the problem and says the problem doesn't affect Internet Information Services (IIS) 5.0--only Internet Information Server 4.0 configured to perform URL redirection.