Hi
Try this :
If you are using the Marconi ADSL router go to this site :
http://www.telkom.co.za/adsl/tech_info4.jsp
There is a known loophole involving default passwords and this allows others to steal your username and password and use up your bandwidth
AND/OR
If you are using Win 2K , Win 2K3 server, WinXP or Win NT 4 then download this patch if you haven't already :
http://www.microsoft.com/security/security_bulletins/ms03-026.asp
Visit this Microsoft link to download a security patch that closes a potentual loophole in the Remote Procedure Call (RPC) - This loophole allows a intruder to access your machine remotely and run commands from your machine, this includes denial of service attacks and bouncing a connection through the compromised machine.
AND/OR
Scan for a virus called mblast.exe (a variant of lovsan virus)- Look in the task manager for a process called mblast.exe.
Text from TrendMicro's newsletter:
WORM_MSBLAST.A affects unpatched systems running Windows NT, 2000, XP, and Server 2003. This worm can only propagate to systems running Windows 2000 and XP. WORM_MSBLAST.A is currently spreading in-the-wild, and has been in heavy circulation since Monday.
WORM_MSBLAST.A is a destructive worm that exploits the RPC DCOM Buffer Overflow, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, which allows an attacker to gain full access and execute any code on a target machine, leaving it compromised. The virus payload performs a Distributed Denial of Service (DDoS) attack against windowsupdate.com on the 16th through the 31st day of every month from January through August, and any day in September through December. The worm is set to activate its next Distributed Denial of Service attack this Saturday, August 16.
Upon execution, this worm creates an autorun registry entry that allows it to execute at every Windows startup. It creates a mutex named "BILLY," that it uses to check whether another copy is already running. If it finds that another copy is running, it simply terminates. If no other copy is running, it continues with the rest of its routines; sleeping at 20 second intervals and waking to check for Internet connection, until it is able to establish this connection.
Once it secures an Internet connection, this worm checks for the current system date. If the system date is the 16th through 31st day of any month in January through August, or any day of the month of September through December, it launches a thread that performs a Distributed Denial of Service (DDoS) attack against windowsupdate.com. When performing the DDoS attack, this worm constructs a specially crafted packet, which it sends to the target site. The packet contains no data except for its TCP/IP header, and is constructed in such a way that the worm can spoof the sender IP address. This worm continuously sends the packet every 20 milliseconds.
This worm exploits the RPC DCOM BUFFER OVERFLOW, a vulnerability in a Windows Distributed Component Object Model (DCOM) Remote Procedure Call (RPC) interface, to infect remote machines.
To infect unpatched, vulnerable machines, this worm attempts to connect to other target systems via port 135. It does this by opening 20 TCP threads or connections which scan for IP addresses. After creating 20 threads or connection attempts, it uses another method which generates random IP address.
This worm then instructs its remote target machine to download its copy MSBLAST.EXE into the Windows System32 folder; typically C:\Windows\System32 or C:\WINNT\System32. Finally, it instructs the target machine to execute the downloaded file. This begins another life cycle for the worm on the newly infected machine.
The following text strings are visible in this worm's body:
I just want to say LOVE YOU SAN!!
billy gates why do you make this possible ? Stop making money and fix your software!!
If you would like to scan your computer for WORM_MSBLAST.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com
FINALLY
Install a viruswall - the always on aspect of ADSL means more vunrability to hackers.
You can try this one: http://www.tinysoftware.com/home/tiny2?la=EN
