The CERT/CC has received numerous reports of Windows NT 4.0 IIS 4.0 servers patched according to Microsoft Security Bulletin MS01-033 crashing when scanned by the "Code Red" worm.
A vulnerability in Microsoft IIS 4.0 allows an attacker to crash an IIS 4.0 server by sending a crafted URL if the server is configured to use URL redirection (URL redirection is not enabled by default). This vulnerability is exercised by the "Code Red" worm, but it is distinct from the vulnerability described in CA-2001-13 that allows the worm to compromise systems. IIS 4.0 servers configured to use URL redirection and patched according to Microsoft Security Bulletin MS01-033 are no longer vulnerable to compromise by the "Code Red" worm, but they may crash due to this new vulnerability.
For more information, please see
"Code Red" scanning activity can result in a denial-of-service attack against a Windows NT 4.0 IIS 4.0 server with URL redirection enabled.
Apply the patch from Microsoft Security Bulletin MS01-044.
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are affected by this activity, please send mail to firstname.lastname@example.org.