new patterns

malware5.pl

@@ -248,6 +248,9 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0.+?return\s+base64\_decode\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20}).+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
     qr/<\?php.+?hello\_dolly.+?\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;.+?add\_action\(\s+\'admin\_head\'\,\s+\'dolly\_css\'\s+\)\;\s+\?>/is,
     qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"x.+?\"\)\;\s+\?>/is,
+    qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is,
+    qr/<html>.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is,
 );
 
 my @base64_decodes = (

malwaresh.pl

@@ -728,6 +728,9 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+Array\(.+?function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\{\$([A-z0-9]{1,20})\s+\=\s+\'\'\;\s+for\(\$i\=0.+?return\s+base64\_decode\(\$([A-z0-9]{1,20})\)\;\}\s+\$([A-z0-9]{1,20}).+?eval\(([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+\$([A-z0-9]{1,20})\)\)\;\?>/is,
     qr/<\?php.+?hello\_dolly.+?\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;.+?add\_action\(\s+\'admin\_head\'\,\s+\'dolly\_css\'\s+\)\;\s+\?>/is,
     qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"x.+?\"\)\;\s+\?>/is,
+    qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php.+?\$pos\s+\=\s+strpos\(\$haystack\,\s+\$needle\)\;.+?function\s+mailer\_spam\_cycle\(.+?\'OK\'\)\;\s+\}/is,
+    qr/<html>.+?parent\.window\.opener\.location\=\"http\:\/\/redirg\.info\/\?access\=.+?<\/html>/is,
     
 
 );