From 26fd7a2a1907c6d7ea577513152b5b3c16dbac18 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 19 Feb 2018 07:11:07 +0100
Subject: [PATCH] new pattern

---
 malware4.pl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/malware4.pl b/malware4.pl
index 7bd2885..bb8f7fa 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -328,8 +328,9 @@ my @regexen = (
     qr/<\?php\s+\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\?>/is,
     qr/<\?php.+?\/\/\#\#\#\=\=\=\=\#\#\#\s+\@error\_reporting\(E\_ALL\)\;.+?\@assert\_options\(ASSERT\_QUIET\_EVAL.+?\/\/\#\#\#\=\=\=\=\#\#\#/is,
     qr/<\?php\s+extract\(\$\_COOKIE\)\;\@\$F\&\&\(\@\$F\(\$A\,\$B\)\|\|\@\$W\(\$X\(\$Y\,\$Z\)\)\)\;/is,
-
-
+    qr/<\?php\s+eval\(\"\\n\\\$([A-z0-9]{1,20})\s+\=\s+intval\(\_\_LINE\_\_\)\s+\*\s+337\;\"\)\;\s+\$a\s+\=.+?\$a\s+\=\s+str\_replace\(\$([A-z0-9]{1,20})\,\s+\"E\"\,\s+\$a\)\;\s+eval\s+\(gzinflate\(base64\_decode\(\$a\)\)\)\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?function\s+([A-z0-9]{1,20})\(\$\w\)\{return\s+chr\(ord\(\$\w\)\-1\)\;\}\s+\@error.+?\$([A-z0-9]{1,20})\s+\=\s+implode\(array\_map.+?\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
+    
 
 );