Where to start…
First, I’m sorry that you got your accounts breached, if that’s the case.
Now, let’s start with Shellshock, you ran a piece of code in the terminal that only serves to prove that the bash version you are running is vulnerable to the Shellshock vulnerability.
Currently, all OS X versions actually have that vulnerability, if anyone running OSX runs that command they will get the same result.
This vuln. is dangerous mostly for servers, and in some special cases for clients too, the case you described could have not trigger the vulnerability, actually it would be the other way around, you could have, via a crafted HTTP request triggered the vuln. In the server.
What I mean is, all this talk about Shellshock is actually irrelevant for your situation, because you weren’t attacked via Shellshock.
Now, worms, worms are a specific kind of malware that spreads using vulnerabilities in a network, Shellshock could be used, but in that case it would be from Webserver to Webserver. So no, your case is also not a worm.
What you describe seems more like phishing, a rogue site posing to be another in order to steal your info and credentials. There’s no malware involved in such cases, only social engineering, as such Avast! AV, or any other AV, free or not can’t do much about it.
However, the most important facts are lefted out, which are, what was the behaviour that you considered suspicious? What ‘preventive measures’ did you took? And how do you know that they got your info? As in, what facts lead you to conclude that?