From 8a7bd0d95b4a4f3ab95f5b58053ac4ff03a66213 Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Mon, 30 Jan 2017 11:24:23 +0100
Subject: [PATCH] Update 'malware4.pl'

---
 malware4.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware4.pl b/malware4.pl
index 93d3d1c..131e66d 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -55,6 +55,7 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\)\s+\{\s+\header\(\s+\'Content\-Type\:\s+image\/jpeg\'\s+\)\;\s+readfile\(\'http\:\/\/.+?\.jpg\'\)\;\s+\exit\(\)\;\s+\}\s+header\(\'Location\:\s+http\:\/\/.+?\'\)\;\s+exit\(\)\;/is,
     qr/function\s+l\_\_1\(\$.+?function\s+l\_\_3\(\$\_2\)\{if\(\$GLOBALS\[\Z/is,
     qr/<\?php\s+if\s+\(isset\(\$\_GET\[\'jpg\'\]\)\).+?\)\;\s+exit\(\)\;/is,
+    qr/<\?php\s+define\(\'URL\_HEADER\_NAME\'\,\s+\"X\-Upstream\-Url\"\)\;\s+define\(\'DEBUG\_HEADER\_NAME\'\,\s+\"X\-Debug\-Oleg\"\)\;.+?else\s+if\(strcasecmp\(\$h\,\s+\$key\)\s+\=\=\s+0\)\s+unset\(\$headers\[\$h\]\)\;\s+\}\s+\}/is,
     qr/<\?php\s+\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\=Array\(base64\_decode\(.+?return\s+base64\_decode\(\$a\[\$i\]\)\;\}.+?\$GLOBALS\[\'\_([0-9]{1,20})\_\'\]\[.+?\s+exit\(\)\;\Z/is,