From 12d552ab015a17e64f9f61fcbfc600825fd06318 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 7 Apr 2018 13:16:49 +0200
Subject: [PATCH] new patterns

---
 malware5.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware5.pl b/malware5.pl
index b5688d6..ca9280c 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -158,6 +158,7 @@ my @regexen = (
     qr/<\?php\s+eval\s+\(\$\_POST\[\d\]\)\;\s+\?>/is,
     qr/<\?php\s+\$auth\_pass\s+\=\s+\"\"\;.+?\$default\_action\s+\=\s+base64\_decode\(\'.+?eval\(base64\_decode\(.+?\)\)\;\s+return\;\s+\?>/is,
     qr/<\?php\s+if\(isset\(\$\_REQUEST\[\"\w\"\]\)\)\s+\{\$\w\=\"ass\"\.\"ert\"\;\$\w\=\$\w\(\$\_REQUEST\[\"\w\"\]\)\;\}\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'base\'\s+\,\'64\_d\'\s+\,\'ecod\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'g\'\,\s+\'z\'\,\s+\'u\'\,\s+\'n\'\,\s+\'c\'\,\s+\'o\'\,\s+\'m\'\,\s+\'p\'\,\s+\'r\'\,\s+\'e\'\,\s+\'s\'\,\s+\'s\'\)\s+\;\$.+?\)\;\s+eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is,