diff --git a/malware4.pl b/malware4.pl
index 0962474..d34e013 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -129,6 +129,7 @@ my @regexen = (
     qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\(\)\;\Z/is,
     qr/<\?php\s+set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
     qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match\(\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing\)\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is,
+    qr/<\?if\(\$\_GET\[\'mod\'\]\)\{if\(\$\_GET\[\'mod\'\]\=\=\'0XX\'\s+OR\s+\$\_GET\[\'mod\'\]\=\=\'00X\'\)\{\$g\_sch\=file\_get\_contents\(\'http\:\/\/.+?gethostbyname\(\$\_SERVER\[\'HTTP\_HOST\'\]\.\'\.dbl\.spamhaus\.org\'\)\;.+?header\(\'HTTP\/1\.1\s+301\s+Moved\s+Permanently\'\)\;header\(\'Location\:\s+http\:\/\/([A-z0-9]{1,20})\.([A-z0-9]{1,20})\'\)\;\s+\?>/is,