From 859952aca6cda192e00b186c128ae2782687bafc Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 13 Jul 2017 21:41:43 +0200
Subject: [PATCH] two new patterns

---
 malware4.pl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index a158547..0962474 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -127,12 +127,15 @@ my @regexen = (
     qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{eval\(\/\*([A-z0-9]{1,20})\*\/\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}.+?function\s+([A-z0-9]{1,20})\(\)\{\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{1,100})\"\;\s+return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
     qr/<\?php\s+\$alphabet\s+\=.+?\$string\s+\=.+?\$array\_name.+?\$f\(\)\;/is,
     qr/<\?php\s+\@\'\$.+?x7\=http\:\/\/.+?\.php\s+cache=.+?\(\)\;\Z/is,
+    qr/<\?php\s+set\_magic\_quotes\_runtime\(0\)\;\s+if\(strtolower\(substr\(PHP\_OS\,0\,3\)\).+?Command\s+completed<\/b><\/center>\"\;\s+\}\s+exit\;\s+\?>/is,
+    qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;exit\;\/\*([A-z0-9]{1,20})\*\/\}.+?\"\)\{return\s+preg\_match\(\"\/\(google\.co\.jp\|yahoo\.co\.jp\|bing\)\/.+?return\s+\$([A-z0-9]{1,20})\;\}\Z/is,
     
 
 
 
 
 
+
 );
 my @base64_decodes = (