#!/bin/bash
#Worm detection template V0.1.1.
#Copyright 2001 William Stearns <wstearns@pobox.com>
#Released under the GPL.
#Everything that needs attention starts with two capital X's.

if ! . detectlib ; then
	echo Cannot find detectlib in the current directory, exiting
	exit 2
fi
InitDetectLib
#optional test:
#if [ $DetectLibVer -lt 010 ]; then
#	echo detectlib is too old, please update.  Exiting.
#	exit 1
#fi

AttackName X My Worm Name X
if AttackMarker X /path/to/some/file/or/dir /optional/second/file /and/a/third/etc X; then
	ReplacedFile X /path/to/hostile/wrapper /path/where/original/good/file/placed X
	ReplacedFile X /path/to/hostile/wrapper /path/where/original/good/file/placed X

#You need to check for running apps with this before removing the files; killall
#depends on having the original files still on the drive to kill them.
	PathToRunningApps X \
	  /some/possibly/running/but/definitely/hostile/app \
	  /and/another \
	  /always/give/a/full/path/to/them X

	AttackFiles X \
	  /a/file \
	  /another/file \
	  /etcetera X \
	  /also/entire/directories/that/should/be/completely/removed/ \
	  /BE/CAREFUL/DARNIT/ \
	  /one/misplaced/space/and/large/portions/of/the/drive/disappear/ X

	NukedFiles X \
	  /some/file/this/attack/removes/or/truncates \
	  /and/another X
	  
	AddedLine X /some/file RegExpThatMatchesLineAdded X
	
	ServicesStopped X somesysvinitservice anothersysvinitservice X
	exit $True	#Attack found
else
	exit $False	#Attack not found
fi