From 68f4aa3ab07404a28e243a341188afb800f5ad63 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sun, 29 Oct 2017 08:37:06 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index 528c1be..f46b875 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -189,7 +189,10 @@ my @regexen = (
     qr/<\?php\s+\$user\_agent\_to\_filter\s+\=\s+array\(.+?if\(\@\$isbot\)\{.+?echo\s+\$result\;\s+\}\s+\?>/is,
     qr/<\?php\s+\$key\s+\=\'([A-z0-9]{1,20})\'\;\s+\$key\s+\.\=.+?eval\(\$b\(\$new\)\)\;\s+\?>/is,
     qr/<\?php\s+\/\*\s+\(c\)\s+2011\s+The\s+potion\s+hissed.+?\=base64\_decode\(.+?\=\@gzinflate\(strrev\(.+?\=create\_function\(.+?\}\s+\?>/is,
-    
+    qr/<\?php\s+\/\*\s+\(c\)\s+2004.+?\=base64\_decode\(.+?\=\@gzinflate\(strrev\(.+?if\(crc32\(.+?\=create\_function\(.+?\)\;\s+\}\s+\?>/is,
+    qr/<\?php.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\.chr\(.+?\?>/is,
+    qr/<\?php\s+if\(\s+isset\(\$\_REQUEST\[\"test\_url\"\]\)\s+\)\{\s+echo\s+\"file\s+test\s+okay\"\;.+?\$data\s+\=\s+base64\_decode\(.+?die\(\"([0-9]{1,20})\"\)\;\s+\}/is,
+
 );
 my @base64_decodes = (