From 74fbe203a1521b3e3f911e75db3e3e801cf3cab0 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 19 Jul 2017 20:27:36 +0200
Subject: [PATCH] new pattern

---
 malware4.pl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index 083ec25..75a8ad9 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -137,6 +137,8 @@ my @regexen = (
     qr/<\?php.+?if\(isset\(\$\_COOKIE\[.+?array\(.+?implode\(.+?\;\}/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\'.+?if\(isset\(\$\{\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\.\$.+?\.\$([A-z0-9]{1,20})\[([0-9]{1,5})\]\]\)\;\}\s+\?>/is,
     qr/<\?php.+?str\_ireplace\(\"i\"\,\"\"\,\"iibiasiieii6iii4iiii\_iideicioidieii\"\).+?\?>/is,
+    qr/<\?php\s+preg\_replace\(\"\/([A-z0-9]{1,20})\/e\"\,\s+\"ev\"\.\"al\(\'\"\.\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\.\"\'\)\"\,\s+\"([A-z0-9]{1,20})\s+([A-z0-9]{1,20})\"\)\;\s+\?>/is,
+