diff --git a/malware4.pl b/malware4.pl
index adea505..fe0be8a 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -352,6 +352,7 @@ my @regexen = (
     qr/<\?php\s+\$\{\"\\x.+?\]\=\"key\"\;\@ini\_set\(.+?\]\}\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
     qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\s+\?>/is,
     qr/<\?php\s+eval\(\"\?>\"\.base64\_decode\(\".+?\"\)\)\;\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\]\;\$([A-z0-9]{1,20})\[\].+?\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\)\s+as\s+\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
 
 );