From 05ecfece0d4b5a08cf372b8571c4fda066faed16 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 11 May 2018 20:44:38 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 4 ++--
 malwaresh.pl | 3 ++-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index 00ea90a..fb72bed 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -509,8 +509,8 @@ my @regexen = (
     qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
     qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
     qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is,
-    qr/<span style="position:absolute;visibility: collapse;">.+?(viagra|cialis|levira|kamagra).+?<\/a>\s+<\/span>/is,
-        
+    qr/<span\s+style\=\"position\:absolute\;visibility\:\s+collapse\;\">.+?(viagra|cialis|levira|kamagra).+?<\/a>\s+<\/span>/is,
+    qr/<\?php.+?c40shell\.php\s+v\.Undetected.+?<\?php\s+chdir\(\$lastdir\)\;\s+c40shexit\(\)\;\s+\?>/is,
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 9c05db9..cb1e68d 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -992,7 +992,8 @@ my @regexen = (
     qr/<\?php\s+\$.+?\"pre\"\.\"g\_\"\.\"rep\"\.\"lace\"\;\s+\$.+?\(strrev\(\"e\/\*\.\/\"\)\,\s+strrev\(\"\(edoced\_46esab\(etalfnizg\(lave\"\)\.\".+?\)\;\s+\?>/is,
     qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\"\\x.+?\$([A-z0-9]{1,20})\s+\=\s+Array\(\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\].+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[\d\d\]\]\)\;\s+\}\s+\}/is,
     qr/<\?php.+?class\s+browseDir\s+\{.+?function\s+upload\(\$ifupload\)\{.+?if\(\!empty\(\$eval\)\s+\&\&\s+\$eval\s+\!\=\s+\'\'\)\{.+?<\/body><\/html>\s+\<\?\}\?>/is,
-    qr/<span style="position:absolute;visibility: collapse;">.+?(viagra|cialis|levira|kamagra).+?<\/a>\s+<\/span>/is,
+    qr/<span\s+style\=\"position\:absolute\;visibility\:\s+collapse\;\">.+?(viagra|cialis|levira|kamagra).+?<\/a>\s+<\/span>/is,
+    qr/<\?php.+?c40shell\.php\s+v\.Undetected.+?<\?php\s+chdir\(\$lastdir\)\;\s+c40shexit\(\)\;\s+\?>/is,
 
 );