From 0fa95d953aac47a1bf3ea63d1ecf42bb762b533c Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 25 Jun 2018 10:29:29 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 5 ++++-
 malwaresh.pl | 5 ++++-
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/malware6.pl b/malware6.pl
index 0798c8b..73a2bf0 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -238,7 +238,10 @@ my @regexen = (
     qr/<\?php for\(\$o=0,\$e=\'&\\\'\(\)\*\+,-\.:\].+?\(:\)^\',\$d=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]=\$o;\}else\{\$d\.=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\); \?>/is,
     qr/<\?php\s+\$ver = \'abcdefghijklmnopqrstuvwxyz\';\s+\$check = \$ver\{.+?\(\$check\(array\(\'\\n\', \';\'\).+?value=\"&amp;\"\/><\/form>/is,
     qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,
-        
+    qr/\\<\?php \$([A-z0-9_]{1,20})=\"([A-z0-9_]{50,})\"; \$([A-z0-9_]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\);.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\", \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\"hd\", \"\", \$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\)\)\); \$([A-z0-9_]{1,20})\(\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \"a\"  \.   \"\\x73\"   \.  \"\"  \.  \"\\x73\"   \.   \"E\"   \.  \"\\x72\"   \.   \"t\";\@\$.+?\"\\x29\"  \.   \"\\x29\"  \.   \"\"   \.   \"\\x29\"  \.  \"\\x3b\"\);exit;/is,
+    qr/<\?php if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\(\$([A-z0-9_]{1,20})= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\@eval\(base64_decode\(\$_POST\[([A-z0-9_]{1,20})\]\)\);\)\', \'add\'\);\}/is,
+            
 
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index a86067c..703ed96 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1226,7 +1226,10 @@ my @regexen = (
     qr/<\?php for\(\$o=0,\$e=\'&\\\'\(\)\*\+,-\.:\].+?\(:\)^\',\$d=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]=\$o;\}else\{\$d\.=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\); \?>/is,
     qr/<\?php\s+\$ver = \'abcdefghijklmnopqrstuvwxyz\';\s+\$check = \$ver\{.+?\(\$check\(array\(\'\\n\', \';\'\).+?value=\"&amp;\"\/><\/form>/is,
     qr/<\?php\s+\@error_reporting\(0\);\@set_time_limit\(0\);\s+\$code=\"%3B.+?\$code=\@urldecode\(\$code\);\$code=\@strrev\(\$code\);\@eval\(\$code\);\s+\?>/is,
-
+    qr/\\<\?php \$([A-z0-9_]{1,20})=\"([A-z0-9_]{50,})\"; \$([A-z0-9_]{1,20}) = str_replace\(\"b\",\"\",\"bsbtbrb_rbebpblacbe\"\);.+?\$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"z\",\"\",\"crzezatez_fzunctzizon\"\); \$([A-z0-9_]{1,20}) = \$([A-z0-9_]{1,20})\(\"\", \$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\"hd\", \"\", \$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\.\$([A-z0-9_]{1,20})\)\)\); \$([A-z0-9_]{1,20})\(\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \"a\"  \.   \"\\x73\"   \.  \"\"  \.  \"\\x73\"   \.   \"E\"   \.  \"\\x72\"   \.   \"t\";\@\$.+?\"\\x29\"  \.   \"\\x29\"  \.   \"\"   \.   \"\\x29\"  \.  \"\\x3b\"\);exit;/is,
+    qr/<\?php if\(isset\(\$_POST\[\'([A-z0-9_]{1,20})\'\]\)\)\{\(\$([A-z0-9_]{1,20})= \$_POST\[\'([A-z0-9_]{1,20})\'\]\) && \@preg_replace\(\'\/ad\/e\',\'\@\'\.str_rot13\(\'riny\'\)\.\'\(\@eval\(base64_decode\(\$_POST\[([A-z0-9_]{1,20})\]\)\);\)\', \'add\'\);\}/is,
+    
 
 
 );