From 84ecbfa1bbc6af60c702bc19f341c5e958dd262f Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 21 Apr 2018 10:45:27 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 3 ++-
 malwaresh.pl | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 9d12a26..4cde6cd 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -242,7 +242,8 @@ my @regexen = (
     qr/<\?php\s+\/\*.+?UBH\s+CSU.+?add\_action\(\"\\x.+?plugins\_url\(.+?\?>/is,
     qr/<\?php\s+\$\{\"GLOBAL\\x.+?\"\]\,\"\"\.\$\_FILES\[\".+?\"\]\}\=str\_replace\(\".+?\"\;\}\}\s+\?>/is,
     qr/<\?php\s+\/\*\s+b374k.+?if\(isset\(\$\_COOKIE\[\'b374k\'\]\)\)\{.+?\.\$s\_name\;\s+\?><\/p>\s+<\/body>\s+<\/html>/is,
-
+    qr/<\?php\s+function\s+sgen\(\)\s+\{\$vals\s+\=\s+\"abcdefghijklmnopqrstuvwxyz\"\;\s+\$result\s+\=\s+\"\"\;\s+for\(\$i.+?\.sgen\(\)\.\"\=\"\.bin2hex\(\$\_SERVER\[.+?exit\;\s+\?>/is,
+    
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 157fe9b..66c3e2f 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -722,6 +722,7 @@ my @regexen = (
     qr/<\?php\s+\/\*.+?UBH\s+CSU.+?add\_action\(\"\\x.+?plugins\_url\(.+?\?>/is,
     qr/<\?php\s+\$\{\"GLOBAL\\x.+?\"\]\,\"\"\.\$\_FILES\[\".+?\"\]\}\=str\_replace\(\".+?\"\;\}\}\s+\?>/is,
     qr/<\?php\s+\/\*\s+b374k.+?if\(isset\(\$\_COOKIE\[\'b374k\'\]\)\)\{.+?\.\$s\_name\;\s+\?><\/p>\s+<\/body>\s+<\/html>/is,
+    qr/<\?php\s+function\s+sgen\(\)\s+\{\$vals\s+\=\s+\"abcdefghijklmnopqrstuvwxyz\"\;\s+\$result\s+\=\s+\"\"\;\s+for\(\$i.+?\.sgen\(\)\.\"\=\"\.bin2hex\(\$\_SERVER\[.+?exit\;\s+\?>/is,
 
 );