new patterns

malware5.pl

@@ -376,7 +376,10 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
     qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/images\/config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is,
     qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$.+?\}exit\(\)\;\}\s+\?>/is,
-   
+    qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/is,
+    qr/\*\/\s+\$\w\=\@\$\w\(\'\'\,strrev\(\'\;\)\)\]B2D2C\_PTTH\[REVRES\_\$\(edoced\_46esab\(lave\'\)\)\;\@\$\w\(\)\;\s+\/\*/is,
+    qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is,
+
     );
 
 my @base64_decodes = (

malwaresh.pl

@@ -859,7 +859,9 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\)\s+die\(\$\_GET\[\"([A-z0-9]{1,20})\"\]\)\;\s+if\s+\(isset\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\s+\{\s+eval\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,20})\"\]\)\)\;\s+exit\;\s+\}\s+\?>/is,
     qr/<\?php\s+define\(\'CONFIG_FILE\'\,\s+\'\/images\/config\.db\'\)\;.+?function\s+getLinks\(\$server\_host\,\s+\$server\_port\,\s+\$path\,\s+\$key\).+?process\(\)\;\s+\?>/is,
     qr/<\?php.+?Array\(\)\;global\s+\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+\$GLOBALS\;\$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?\{eval\/\*([A-z0-9]{1,20})\*\/\(\$.+?\}exit\(\)\;\}\s+\?>/is,
-    
+    qr/<\?php.+?\]\)\?base64\_decode\(\$\_GET\[.+?ob\_end\_flush\(\)\;/is,
+    qr/\*\/\s+\$\w\=\@\$\w\(\'\'\,strrev\(\'\;\)\)\]B2D2C\_PTTH\[REVRES\_\$\(edoced\_46esab\(lave\'\)\)\;\@\$\w\(\)\;\s+\/\*/is,
+    qr/\#\!\/usr\/bin\/perl\s+\-w\s+\'\'\=\~\(\'\(\?\{\'\.\(\'.+?\'\)\.\'\$\/\}\)\'\);/is,
 
 );