diff --git a/malware6.pl b/malware6.pl
index c63fd2b..800b333 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -315,6 +315,7 @@ my @regexen = (
     qr/\*\/\s+\@\$wordpress404=\"e\\x76.+?\$wordpress401\(\$wp\[30\]\.\$wp\[31\]\.\$wp\[27\]\.\$wp\[30\]\.\$wp\[4\],\$wordpress404,\"\"\);\s+\/\*/is,
     qr/<\?php.+?if\(empty\(\$_GET\[\'ineedthispage\'\]\)\)\{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?if\(\!empty\(\$_COOKIE\[\'PHPSSIDDD2\'\]\)\)\{\$.+?\)\];\}return\$([A-z0-9_]{1,20});\};\s+\/\/item->alias\s+\?>/is,
     qr/if\(isset\(\$_REQUEST\[\'bot\'\]\)\) assert\(stripslashes\(\$_REQUEST\[bot\]\)\);/is,
+    qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
 
 
    
diff --git a/malwaresh.pl b/malwaresh.pl
index c803034..f6532f0 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -26,6 +26,7 @@ print "Content-type: text/html\n\n";
 my $user = $ARGV[0];
 
 my @regexen = (
+    qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w;\} \$([A-z0-9_]{1,20}) =.+?\(\"at\",chr\(101\),\"\(\\x62a\"\);\$.+?\'\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
     qr/<\?php \$\{\"\\x47\\x4c\\x4fB\\x41\\x4c\\x53\"\}\[.+?eval\(\$([A-z0-9]{1,20})\[\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\[([0-9]{1,5})\]\]\);\s+\}\s+exit\(\);\s+\}\s+\}/is,
     qr/<\?php\s+\/\/header\(.+?\\x30\"\]\(\);\?>/is,
     qr/<\?php\s+\/\/header\(.+?\$([O0_]{1,6})=\(.+?\\x\d\d\"\]\(\);\?>/is,