From 43f7ca387a67a656d22465d2da59208d4db0b105 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 9 Jun 2018 11:23:04 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 2 ++
 malwaresh.pl | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index 225aec0..f9daeee 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -173,6 +173,8 @@ my @regexen = (
     qr/<\?php\s+if\(!empty\(\$_GET\[\'image\'\]\) && \$_GET\[\'image\'\] = \'image\'\) \{\s+if\(isset\(\$_POST\[\'Submit\'\]\)\)\{.+?\@move_uploaded_file\(\$tmp, \$path\);.+?<input type=\"Submit\" name=\"Submit\" value=\"Submit\"><\/form>\s+<\?php\s+\}\s+\}/is,
     qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w\.\$\w\.\$\w;\}\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"bas\\x656\\x34\\x5fd\";\$([A-z0-9_]{1,20}) = \"\\x29\)\)\\x3B\".+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
     qr/<\?php\s+if \(\$_GET \[\'([A-z0-9_]{1,20})\'\]\) \{\s+echo \"OK\";\s+exit \(\);\s+\}\s+if\(\$_POST\[\'to\'\]\)\s+\{\s+\$to = \$_POST \[\'to\'\];.+?header \( \"Location: http:\/\/\{\$link\}\" \);\s+\}/is,
+    qr/<script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x.+?\\x65\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);<\/script>/is,
+    qr/var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);/is,
 
     
 
diff --git a/malwaresh.pl b/malwaresh.pl
index eccd04e..da00e56 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1159,8 +1159,9 @@ my @regexen = (
     qr/<\?php\s+if\(!empty\(\$_GET\[\'image\'\]\) && \$_GET\[\'image\'\] = \'image\'\) \{\s+if\(isset\(\$_POST\[\'Submit\'\]\)\)\{.+?\@move_uploaded_file\(\$tmp, \$path\);.+?<input type=\"Submit\" name=\"Submit\" value=\"Submit\"><\/form>\s+<\?php\s+\}\s+\}/is,
     qr/<\?php function ([A-z0-9_]{1,20})\(\$\w,\$\w,\$\w,\$\w,\$\w\)\{return \$\w\.\$\w\.\$\w\.\$\w\.\$\w;\}\$([A-z0-9_]{1,20}) =.+?\$([A-z0-9_]{1,20}) = \"bas\\x656\\x34\\x5fd\";\$([A-z0-9_]{1,20}) = \"\\x29\)\)\\x3B\".+?\"\.\$([A-z0-9_]{1,20});\$([A-z0-9_]{1,20})\(\'\', \'\}\'\.\$([A-z0-9_]{1,20})\.\'\/\/\'\);/is,
     qr/<\?php\s+if \(\$_GET \[\'([A-z0-9_]{1,20})\'\]\) \{\s+echo \"OK\";\s+exit \(\);\s+\}\s+if\(\$_POST\[\'to\'\]\)\s+\{\s+\$to = \$_POST \[\'to\'\];.+?header \( \"Location: http:\/\/\{\$link\}\" \);\s+\}/is,
+    qr/<script type=\"text\/javascript\">var _0x2515=\[\"\",\"\\x.+?\\x65\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);<\/script>/is,
+    qr/var _0x2515=\[\"\",\"\\x6A\\x6F\\x69\\x6E\".+?\"\];document\[_0x2515\[5\]\].+?\(_0x2515\[0\]\)\);/is,
 
-