From 2b563257599a5f4f9c4303a3a62f1e7ca7bfd922 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 22 Jul 2017 11:37:02 +0200
Subject: [PATCH] new pattern

---
 malware4.pl | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index 4ec0d1a..9af9a92 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -150,7 +150,11 @@ my @regexen = (
     qr/<\?php\s+header\(\"Content\-type.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@system\(\"\.\/1\.sh\"\)\;\s+\?>/is,
     qr/<\?php\s+\$\{\"G.+?\=getUseragent\(\).+?\=str\_replace\(.+?\]\}\;\}\s+\?>/is,
     qr/<\?php\s+\$s\=\@\$\_GET\[2\]\;if\(md5\(\$s\.\$s\)\=\=\"([A-z0-9]{1,32})\"\s+\&\&\s+\(\$p\=\'pr\'\.\'eg\_\'\.\'re\'\.\'place\'\)\s+\&\&\s+\(\$r\=\'str\'\.\'\_rot\'\.\'13\'\)\)\{\$p\(\'\/ad\/\'\.\'e\'\,\'\@\'\.\$r\(\'r\'\.\'in\'\.\'y\'\)\.\'\(\$\_POST\[\$s\]\)\'\,\'add\'\)\;\}\;echo\s+dirname\(\_\_FILE\_\_\)\;\?>/is,
-    
+    qr/\#\!\/bin\/sh\s+cd.+?libworker\.so.+?exit\s+0/is,
+    qr/<\?php\s+\/\/\s+NEXT\s+LINE.+?function\s+xor\_enc2\(\$str\).+?\;\?>/is,
+    qr/\#\!\/bin\/bash\s+DIRNAME\=\'\.gohome\'.+?bot\_works\(\)\s+\{.+?echo\s+\'done\'\;/is,
+    qr/\#\!\/bin\/sh\s+DIRNAME\=\'\.jshome\'.+?if\s+\[\s+\$\{MACHINE\_TYPE\}\s+\=\=\s+\'x86\_64\'\s+\]\;\s+then.+?echo\s+\'done\'\;/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=.+?\$\_([A-z0-9]{1,20})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,20})\'\,\s+([A-z0-9]{1,20})\s+\(base64\_decode\s+\(.+?strlen\s+\(\$([A-z0-9]{1,20})\\)\)\)\;\s+\}\s+\?>/is,