diff --git a/malware6.pl b/malware6.pl
index ba38c4b..0f21656 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -63,6 +63,9 @@ my @regexen = (
     qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/is,
     qr/<\?php \/\* WARNING:.+?;eval\(base64_decode\(.+?\)\);return;\?>/is,
     qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
+    qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is
+    qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
+
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 13e4568..f541dc2 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1048,7 +1048,9 @@ my @regexen = (
     qr/<\?php\s+\@ini_set\(.+?function wp_cd\(\$fd, \$fa=\"\"\).+?\$npDcheckClassBgp = \"([A-z0-9]{1,20})\";\s+\}\s+\?>/is,
     qr/<\?php \/\* WARNING:.+?;eval\(base64_decode\(.+?\)\);return;\?>/is,
     qr/<\?php\s+\@eval\(base64_decode\(.+?\)\);\s+\?>/is,
-    
+    qr/([A-z0-9]{1,20}) <\?php\s+if\(\@md5\(\$_POST\[\"gif\"\]\) === \"([A-z0-9]{20,})\"\) \{\s+eval \(base64_decode\(\$_POST\[\"php\"\]\)\);\s+exit;\s+\}\s+\?>/is
+    qr/<\?eval\(stripslashes\(array_pop\(\$_POST\)\)\)\?>/is,
+
 );
 
 my @base64_decodes = (