From 43b3245f4e4c497cb80928c2b5e183929d815364 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 10 May 2018 15:01:32 +0200
Subject: [PATCH] corrected pattern

---
 malware5.pl  | 2 +-
 malwaresh.pl | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index 6fba425..87dec40 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -499,7 +499,7 @@ my @regexen = (
     qr/\/\/\s+([A-z0-9]{20,})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{20,})/is,
     qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{20,})\s+\?>/is,
     qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is,
-    qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{20,})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
+    qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
     
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 3d69975..3a3a2b3 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -982,8 +982,8 @@ my @regexen = (
     qr/\/\/\s+([A-z0-9]{20,})\s+echo\s+base64\_decode\(.+?\)\;\s+\/\/([A-z0-9]{20,})/is,
     qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{20,})\s+\?>/is,
     qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is,
-    qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{20,})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
-    
+    qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)\^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
+
 );
 
 my @base64_decodes = (