From 94216e6f34e5e8e08dbcbe16cb7f3996689cf0d6 Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Fri, 28 Apr 2017 21:03:50 +0200
Subject: [PATCH] Update 'malware4.pl'

---
 malware4.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index fd797b5..9e1db3d 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -85,7 +85,8 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+\$([A-z0-9]{1,20})\=call\_user\_func\(.+?\)\;\s+eval\(\$([A-z0-9]{1,20})\)\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\".+?\"\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;\$([A-z0-9]{1,20})\=call\_user\_func\(\$.+?\)\;eval\(\$([A-z0-9]{1,20})\)\;/is,
     qr/var\s+\_0xaae8\=\[\"\"\,\".+?\"\]\;document\[\_0xaae8\[5\]\]\(\_0xaae8\[4\]\[\_0xaae8\[3\]\]\(\_0xaae8\[0\]\)\[\_0xaae8\[2\]\]\(\)\[\_0xaae8\[1\]\]\(\_0xaae8\[0\]\)\)/is,
-    qr/<\?php\s+eval\(gzuncompress\(.+?\"\)\)/is,
+    qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\=\=\'\)\)\)\;/is,
+    qr/<\?php\s+eval\(gzuncompress\(.+?\)\)/is,
     qr/<\?php\s+\$report\_url\s+\=\s+\$\_POST\[\'url\'\]\;\s+\$pass\s+\=\s+\$\_POST\[\'pass\'\]\;\s+\$list\s+\=\s+\$\_POST\[\'list\'\]\;.+?if\s+\(\@stripos\(\$hello\,\'\+OK\'\)\!\=\=false\)\s+\{\s+return\s+true\;\s+\}\s+return\s+false\;\s+\}/is,
 
 );