From 8704797dd478523903f71747c2985a41b4323d32 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 17 Jan 2018 20:32:06 +0100
Subject: [PATCH] new pattern

---
 malware4.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware4.pl b/malware4.pl
index 34fa891..69e8340 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -268,6 +268,7 @@ my @regexen = (
     qr/\$([A-z0-9]{1,20})\=\"\-1\(.+?\$([A-z0-9]{1,20})\=array\(\"([A-z0-9]{1,20})\"\=>\".+?\"\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\"\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;if\(\$([A-z0-9]{1,20})\(\@\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\]\)\=\=\$([A-z0-9]{1,20})\)\$([A-z0-9]{1,20})\(\)\;/is,
     qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\"\\x.+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
     qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?\$\_([A-z0-9]{1,10})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,10})\'\,\s+([A-z0-9]{1,10})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\s+function\s+([A-z0-9]{1,10})\s+\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\s+\{\s+return\s+\$([A-z0-9]{1,10})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,10})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,10})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,10})\)\)\)\;\s+\}\s+\?>/is,
+    qr/<\?php\s+\$k\=\"ass\"\.\"ert\"\;\s+\$k\(\$\{\"\_PO\"\.\"ST\"\}\s+\[\'admins\'\]\)\;\?>No\.1\s+<\?php\s+\@preg\_replace\(\"\/\/e\"\,\$\_POST\[\'sss\'\]\,\"Access\s+Denied\"\)\;\?>/is,
     
 
 );