From 3b3d8627a2c3ad8b592e8ecc2fa2368c2b2e7b76 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 12 Apr 2018 13:47:41 +0200
Subject: [PATCH] new patterns

---
 malware5.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 864d9ba..bfd787a 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -173,7 +173,9 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\]\;\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$([A-z0-9]{1,20})\[\d\d\]\.\$([A-z0-9]{1,20})\[\d\]\.\$([A-z0-9]{1,20})\[\d\d\].+?\}\s+\}\s+if\s+\(\$([A-z0-9]{1,20})\s+>\=\s+\$([A-z0-9]{1,20})\)\s+\{\s+\$([A-z0-9]{1,20})\s+\+\=\s+1\;\s+\}\s+return\s+\$([A-z0-9]{1,20})\;\s+\}/is,
     qr/<\?php.+?eval\(\"\\\$\w\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(\\\".+?\\\"\)\)\;\"\)\;eval\(\"\?>\"\.\$\w\)\;\s+\?>/is,
     qr/<\?php\s+\$.+?\=\s+\'gzu\'\.\s+\'nco\'\.\s+\'mpr\'\.\s+\'ess\'\;\$.+?\=\s+\'b\'\s+\.\'a\'\s+\.\'s\'\s+\.\'e\'\s+\.\'6\'\s+\.\'4\'\s+\.\'\_\'\s+\.\'d\'\s+\.\'e\'\s+\.\'c\'\s+\.\'o\'\s+\.\'d\'\s+\.\'e\'\;\$.+?\=\s+\'im\'\s+\.\'pl\'\s+\.\'od\'\s+\.\'e\'\;\$.+?\=\s+array\(.+?eval\(.+?\)\)\)\)\;\s+\?>/is,
-    
+    qr/\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=\'\'\;\@eval\(base64\_decode\(.+?\)\)\;\/\*\,\*\//is,
+    qr/<\?php\s+preg\_replace\(\"\\x.+?\\x3B\"\,\"\"\)\;\s+\?>/is,
+    qr/<\?php.+?WordPress\s+Options\s+Header.+?eval\(gzinflate\(base64\_decode\(rawurldecode\(.+?\)\)\)\)\;\s+\?>/is,
 
 );