From 45e7edb64e55f5ea9d46d2bb9f4c246f00370f0f Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 3 May 2018 12:27:02 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 2 +-
 malwaresh.pl | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 1d6524c..98ddce6 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -389,7 +389,7 @@ my @regexen = (
     qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
     qr/<\?php\s+error\_reporting\(.+?\@include\(\$\_FILES\[\'u\'\]\[\'tmp\_name\'\]\)\;.+?header\(\"HTTP\/1\.0\s+404.+?exit\(\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
-        
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval.+?\?>/is,
 
     );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 514e6b9..dab18c9 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -872,6 +872,7 @@ my @regexen = (
     qr/<u\s+style\=\"position\:\s+absolute\;\s+width\:\s+1px\;\s+height\:\s+1px\;\s+margin\:\s+0\;\s+top\:\s+\-1000px\;\s+left\:\s+\-5000px\;\s+overflow\:\s+hidden\;\">.+?pornstar.+?gay.+?www\..+?<\/h1><\/a>.+?<\/u>/is,
     qr/<\?php\s+error\_reporting\(.+?\@include\(\$\_FILES\[\'u\'\]\[\'tmp\_name\'\]\)\;.+?header\(\"HTTP\/1\.0\s+404.+?exit\(\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+\@assert\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\?>/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?array\(\'bas\'\s+\,\'e64\'\s+\,\'\_de\'\s+\,\'cod\'\s+\,\'e\'\)\;\s+\$([A-z0-9]{1,20})\s+\=\s+array\(\'gzun\'\,\s+\'comp\'\,\s+\'ress\'\)\s+\;\$.+?eval.+?\?>/is,
 
 );