diff --git a/malware6.pl b/malware6.pl
index bbab26e..4f8ba79 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -236,6 +236,7 @@ my @regexen = (
     qr/<\?php \$([A-z0-9_]{1,20})=\'ba\'\.\'s\'\.\'e6\'\.\'4_\'\.\'de\'\.\'code\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?([A-z0-9_]{1,20})\'\)\);/is,
     qr/<\?php\s+ignore_user_abort\(\);.+?system\(base64_decode\(.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
     qr/<\?php for\(\$o=0,\$e=\'&\\\'\(\)\*\+,-\.:\].+?\(:\)^\',\$d=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]=\$o;\}else\{\$d\.=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\); \?>/is,
+    qr/<\?php\s+\$ver = \'abcdefghijklmnopqrstuvwxyz\';\s+\$check = \$ver\{.+?\(\$check\(array\(\'\\n\', \';\'\).+?value=\"&amp;\"\/><\/form>/is,
         
 
 
diff --git a/malwaresh.pl b/malwaresh.pl
index e377ae4..e99de7a 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -26,6 +26,7 @@ print "Content-type: text/html\n\n";
 my $user = $ARGV[0];
 
 my @regexen = (
+    qr/<\?php\s+\/\/header\(.+?\$([O0_]{1,6})=\(.+?\\x\d\d\"\]\(\);\?>/is,
     qr/<\?php\s+\/\/header\(.+?\$([A-z0_]{1,20})=urldecode\(.+?\]\(\);\?>/is,
     qr/<\?php\s+if \(isset\(\$\{\"_REQUE\"\.\"ST\"\}\[\'([A-z0-9_]{1,20})\'\]\)\)\{\$([A-z0-9_]{1,20})=\"assert\";\$([A-z0-9_]{1,20})\(\$\{\"_REQUEST\"\}\[\'([A-z0-9_]{1,20})\'\]\);exit;\} \/\/([A-z0-9_]{1,20})\s+if \(!extension_loaded\(\'IonCube_loader\'\)\).+?\?>\s+([A-z0-9_]{50,})\Z/is,
     qr/<\?php\s+\$([A-z0_]{1,10})=.+?\$([A-z0_]{1,10})=\'\|hateyou\|\';.+?\$([A-z0_]{1,10})=urldecode\(\"\%.+?\$([A-z0_]{1,10})=\"([A-z0-9_]{20,})\";\?>/is,
@@ -1219,11 +1220,11 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,6})=\$_REQUEST\[\'sort\'\];\$([A-z0-9]{1,6})=\'\';\$([A-z0-9]{1,6})=\"wt8m4.+?\$([A-z0-9]{1,6})=strrev\(\"noi\"\.\"tcnuf\"\.\"_eta\"\.\"erc\"\);\$([A-z0-9]{1,6})=\$([A-z0-9]{1,6})\(\"\",\$([A-z0-9]{1,6})\(\$([A-z0-9]{1,6})\)\);\$([A-z0-9]{1,6})\(\);.+?\$_FILES\[\'file\'\]\[\'name\'\]\)\)\{echo\'<b>Success_Upload!!!<\/b><br><br>\';\}else\{echo\'<b>Error<\/b><br><br>\';\}\};\};/is,
     qr/<\?php \@ini_set\(\"error_log\",null\);\@ini_set\(\"log_errors\",0\);\@ini_set\(\"max_execution_time\",0\);\@set_time_limit\(0\);error_reporting\(0\).+?\)\{\}else\{file_put_contents\(\$.+?\);\}else\{([A-z0-9]{1,6})_\(\$_SERVER\[\'DOCUMENT_ROOT\'\]\);\}\}\}\}\}\}\}\};/is,
     qr/<\?php\s+\@ini_set\(\"display_errors\", \"0\"\);.+?if \(!\$npDcheckClassBgp\) \{.+?\$npDcheckClassBgp = \"([A-z0-9]{1,6})\";\s+\}\s+\?>/is,
-    qr/<\?php\s+\/\/header\(.+?\$([O0_]{1,6})=\(.+?\\x\d\d\"\]\(\);\?>/is,
-    qr/<\?php \$([A-z0-9_]{1,20})=\'ba\'\.\'s\'\.\'e6\'\.\'4_\'\.\'de\'\.\'code\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?([A-z0-9_]{1,20})\'\)\);/is,
+    qr/<\?php \$([A-z0-9_]{1,20})=\'ba\'\.\'s\'\.\'e6\'\.\'4_\'\.\'de\'\.\'code\'; \@eval\(\$([A-z0-9_]{1,20})\(.+?\'\)\);/is,
     qr/<\?php\s+ignore_user_abort\(\);.+?system\(base64_decode\(.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
     qr/<\?php for\(\$o=0,\$e=\'&\\\'\(\)\*\+,-\.:\].+?\(:\)^\',\$d=\'\';\@ord\(\$e\[\$o\]\);\$o\+\+\)\{if\(\$o<16\)\{\$h\[\$e\[\$o\]\]=\$o;\}else\{\$d\.=\@chr\(\(\$h\[\$e\[\$o\]\]<<4\)\+\(\$h\[\$e\[\+\+\$o\]\]\)\);\}\}eval\(\$d\); \?>/is,
-    
+    qr/<\?php\s+\$ver = \'abcdefghijklmnopqrstuvwxyz\';\s+\$check = \$ver\{.+?\(\$check\(array\(\'\\n\', \';\'\).+?value=\"&amp;\"\/><\/form>/is,
+