From 1dfd19472a94fe6c9a106a6e8ab45b54030aef4c Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 21 May 2018 06:53:32 +0200
Subject: [PATCH] new pattern

---
 malware6.pl  | 1 +
 malwaresh.pl | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/malware6.pl b/malware6.pl
index 9601da8..3d867a0 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -55,6 +55,7 @@ my @regexen = (
     qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is,
     qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/\/.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is,
     qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode.+?curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
+    qr/RewriteEngine on\s+RewriteCond \%\{HTTP_USER_AGENT\} android \[NC,OR\].+?RewriteCond \%\{HTTP_USER_AGENT\} !\(windows\\\.nt\|bsd\|x11\|unix\|macos\|macintosh\|playstation\|.+?RewriteRule \^\(\.\*\)\$ http:\/\/.+?\.ru \[L,R=302\]/is,
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 19528c7..f49d368 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1040,6 +1040,10 @@ my @regexen = (
     qr/<\?php \@eval\(\"\?>\"\.base64_decode\(.+?\)\);\/\/Generated by Ampare PHP Encoder. For more security please use php protect before encode the php program/is,
     qr/<\?php echo \'<div style=\"position:absolute; left:-9000px;\"><a href=\"http:\/\/.+?\">(viagra|cialis|levitra)<\/a><\/div>\'; \?>/is,
     qr/if\(\$([A-z0-9]{1,20})=curl_init\(\)\)\{if\(isset\(\$_GET\[base64_decode.+?curl_close\(\$([A-z0-9]{1,20})\);\}\}/is,
+    qr/RewriteEngine on\s+RewriteCond \%\{HTTP_USER_AGENT\} android \[NC,OR\].+?RewriteCond \%\{HTTP_USER_AGENT\} !\(windows\\\.nt\|bsd\|x11\|unix\|macos\|macintosh\|playstation\|.+?RewriteRule \^\(\.\*\)\$ http:\/\/.+?\.ru \[L,R=302\]/is,
+
+
+
 );
 
 my @base64_decodes = (