From 1a6d57611c1d83c3d5fafedec6f993b173629188 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 12 Mar 2018 12:02:28 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware4.pl b/malware4.pl
index adea505..fe0be8a 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -352,6 +352,7 @@ my @regexen = (
     qr/<\?php\s+\$\{\"\\x.+?\]\=\"key\"\;\@ini\_set\(.+?\]\}\=\@unserialize\(decode\(get\_params\(\$\{\$\{\"GLO.+?\]\}\;\}\s+\?>/is,
     qr/<\?php\s+eval\(gzinflate\(base64\_decode\(.+?\'\)\)\)\;\s+\?>/is,
     qr/<\?php\s+eval\(\"\?>\"\.base64\_decode\(\".+?\"\)\)\;\s+\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\;\$([A-z0-9]{1,20})\s+\=\s+Array\(\)\;\$([A-z0-9]{1,20})\[\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\]\;\$([A-z0-9]{1,20})\[\].+?\;foreach\s+\(\$([A-z0-9]{1,20})\[\d\]\(\$\_COOKIE\,\s+\$\_POST\)\s+as\s+\$([A-z0-9]{1,20}).+?\$([A-z0-9]{1,20})\[\d\]\(\$([A-z0-9]{1,20})\)\)\)\)\;\}/is,
 
 );