Even if you’ve applied Microsoft’s patch, you may still not be protected from the Code Red worm.
European web hosting service Shared Knowledge says websites based on Microsoft’s IIS 4.0 using URL re-direction are still vulnerable to the worm, because when IIS is set to redirect URLs it will accept any URL and send a 302 HTTP code, resulting in an overflow and IIS crash.
Shared Knowledge says the answer is to remove all redirected IIS websites and URLs from the server, apply the patches and reboot.