From 28bf4e2a134b0ea9d09b212b47d1a9bb0338a818 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 20 Apr 2018 20:15:02 +0200
Subject: [PATCH] new pattern

---
 malware5.pl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/malware5.pl b/malware5.pl
index f1820e1..18dbb63 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -230,7 +230,9 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\(([A-z0-9]{1,20})\.\'@\'\..+?\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\.\/\*.+?\)\;eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;.+?\'\;/is,
     qr/<\?php\s+\$OO00O0\=\d\;eval\(gzinflate\(base64\_decode\(str\_rot13\(.+?\)\)\)\)\;\?>/is,
     qr/<\?php\s+\$OO00O0\=\d\;eval\s+\(gzinflate\s+\(base64\_decode\s+\(str\_rot13\s+\(.+?\)\)\)\)\;\?>/is,
+    qr/RewriteRule\s+\^g\(\\d\+\)\[\-\/\]\.\*.+?RewriteRule\s+\^v\(\\d\+\)\[\-\/\]\.\*.+?RewriteRule\s+\^\.\*\[\-\/\]g\(\\d\+\)\[\-\/\]v\(\\d\+\)\[\-\/\]\.\*\$\s+index\\\.php\?id\=\$1\-\$2\&\%\{QUERY\_STRING\}\s+\[L\]/is,
     
+
 );
 
 my @base64_decodes = (