diff --git a/malware4.pl b/malware4.pl
index 131e66d..2d5ec89 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -57,7 +57,9 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is,
     qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is,
     qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]\)\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\(\)\;\Z/is,
- 
+	qr/<\?php\s+\$ua\s+\=\s+\$\_SERVER\[\'HTTP\_USER\_AGENT\'\]\;\s+if\s+\(preg\_match\(\'\/facebook\/si\'\,\$ua\)\)\s+\{.+?<\/noframes>\s+<\/html>\'\;\s+\}\s+\?>/is, 
+    qr/<\?php\s+session\_start\(\)\;.+?\.php\_uname\(\)\..+?<\/form>/is,
+
 
     
 );