From 16ce428d8e566f5340dcb91f96b2acc00bba2b5f Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 28 Apr 2018 09:19:32 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 1 +
 malwaresh.pl | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 9463cd9..0595ba9 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -318,6 +318,7 @@ my @regexen = (
     qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/is,
     qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
     qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas.+?array\(\'gzu.+?eval.+?\?>/is,
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 18a0307..8418376 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -799,7 +799,8 @@ my @regexen = (
     qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/is,
     qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
     qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is,
-    
+    qr/<\?php\s+\$([A-z0-9]{1,20})\_([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas.+?array\(\'gzu.+?eval.+?\?>/is,
+
 
 );