#!/usr/bin/perl -w

# by Christian Wolff
# searches the first 200 lines of all given files for signs
# of the sircam virus and outputs the detected filenames.
# http://www.mcafee.com/anti-virus/viruses/sircam/default.asp?cid=2360
# http://www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html

sub detect_sircam ($)
{
  
  my $limit=200;
  my $detected=0;
  my $language=0;
  my $line;
  my $filename = shift || '-';

  open FILE,"<$filename" or return 0;
  while (<FILE>) {
    $line = $_;
    if ($line=~/^Hi\! How are you(\=3F|\?)$/) { 
      $language=1;
      $detected=1;
    } elsif ($line=~/^Hola como estas (\=3F|\?)$/) { 
      $language=2;
      $detected=1;
    } elsif ($detected) {
      if (($detected % 2) && ($line=~/^ ?$/)) {
        $detected++;
      } elsif ($detected==2) {
        $detected++;
      } elsif ($language == 1) {
        if ($line=~/^See you later(\=2E|\.) Thanks$/) { 
          return 1;
        } else {
          $detected=0;
        }
      } elsif ($language == 2) {
        if ($line=~/^Nos vemos pronto(\=2C|\,) gracias(\=2E|\.)$/) { 
          return 1;
        } else {
          $detected=0;
        }
      } else {
        $detected=0;
      }
    }
    return(0) unless ($limit--);
  }
  close FILE;
  return 0;
}

my $name;
my $found=0;

if (scalar(@ARGV) == 0) {
  if (&detect_sircam('-')) {
    print "-\n";
    $found=1;
  }
} else {
  while ($name=shift) {
    if (&detect_sircam($name)) {
      print "$name\n";
      $found=1;
    }
  }
}
exit($found);