From 950faa573eda07fbf4fa64ccc34bdc16a4a18a3b Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 10 May 2018 21:40:59 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 2 ++
 malwaresh.pl | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/malware5.pl b/malware5.pl
index 9dd12f4..a226c60 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -500,6 +500,8 @@ my @regexen = (
     qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{20,})\s+\?>/is,
     qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is,
     qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
+    qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{20,})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{20,})\(([A-z0-9]{20,})\,([A-z0-9]{20,})\)\)\;\}\;\?>/is,
+    qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
     
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 2eb92b2..b68bc33 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -983,7 +983,8 @@ my @regexen = (
     qr/<\?php.+?GLOBAL\s+\$wehaveitagain\;.+?\/\/\}\}([A-z0-9]{20,})\s+\?>/is,
     qr/<html>.+?print\s+\"<h1>\#p\@\$c\@\#<\/h1>\\n\"\;.+?touch\/\*\;\*\/\(\$filename\,\s+\$time\)\;.+?<\/html>/is,
     qr/<script\s+type\=\"text\/javascript\">var\s+a\=\"\'([A-z0-9]{1,20})\'.+?clen\;clen\=a\.length\;for\(i\=0\;i<clen\;i\+\+\)\{b\+\=String\.fromCharCode\(a\.charCodeAt\(i\)^2\)\}c\=unescape\(b\)\;document\.write\(c\)\;<\/script>/is,
-
+    qr/<\?php\s+\/\*versio\:\d\.\d\d\*\/\s+\$GLOBALS\[\"([A-z0-9]{1,20})\".+?\)\;\s+return\s+\$\w\(substr\(\$\w\,\s+\$\w\,\s+\$\w\)\)\;\}\;eval\(([A-z0-9]{1,20})\(([A-z0-9]{1,20})\,([A-z0-9]{1,20})\)\)\;\}\;\?>/is,
+    qr/<\?php\s+\$.+?\'gzun.+?ress\'\;\$.+?\'ba.+?64.+?array\(.+?eval\(.+?\?>/is,
 );
 
 my @base64_decodes = (