#!/bin/bash
#Worm detection template V0.1.3.
#Copyright 2001 William Stearns <wstearns@pobox.com>
#Released under the GPL.
#Everything that needs attention starts with a capital X.

if ! . detectlib ; then
	echo Cannot find detectlib in the current directory, exiting
	exit 2
fi
InitDetectLib
#optional test:
#if [ $DetectLibVer -lt 010 ]; then
#	echo detectlib is too old, please update.  Exiting.
#	exit 1
#fi

AttackName X My Worm Name
if AttackMarker X /path/to/some/file/or/dir /optional/second/file /and/a/third/etc X; then
	ReplacedFile X /path/to/hostile/wrapper /path/where/original/good/file/placed X
	ReplacedFile X /path/to/hostile/wrapper /path/where/original/good/file/placed X

#You need to check for running apps with this before removing the files; killall
#depends on having the original files still on the drive to kill them.
	PathToRunningApps X \
	  /some/possibly/running/but/definitely/hostile/app \
	  /and/another \
	  /always/give/a/full/path/to/them

	PackagesMangled X X \
	  /full/path/to/some/binary ProbableOwnerPackageName \
	  /another/binary ProbableOwnerPackageForThatBinary

	AttackFiles X \
	  /a/file \
	  /another/file \
	  /etcetera \
	  /also/entire/directories/that/should/be/completely/removed/ \
	  /BE/CAREFUL/DARNIT/ \
	  /one/misplaced/space/and/large/portions/of/the/drive/disappear/

	NukedFiles X \
	  /some/file/this/attack/removes/or/truncates \
	  /and/another
	  
	AddedLine X X \
	  /some/file RegExpThatMatchesLineAdded

	ReplacedLine X X X \
	  /some/file BadRegexInFile GoodStringWeWantThere
	
	ServicesStopped X \
	  somesysvinitservice \
	  anothersysvinitservice

	echo Anything you want to warn the user about manually, such as
	echo Your passwords may have been mailed off to some email account,
	echo please change all passwords.

	exit $True	#Attack found
else
	exit $False	#Attack not found
fi