From 953b4dc786b5b7c4296736155a318ddce2541804 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Mon, 1 Oct 2018 10:44:35 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 7 +++++++
 malwaresh.pl | 8 +++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/malware6.pl b/malware6.pl
index 53110cd..acc30a9 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -331,6 +331,13 @@ my @regexen = (
     qr/<\?php.+?\$default_charset=\'Wind\'\.\'o\.\'\.\'ws-12\'\.\'51\';\s+\$default_action=\'F\'\.\'il\'\.\'esMan\';\s+\$color=\'\#d\'\.\'f5\';\s+\$default_use_ajax=true;\s+\$JFactory = strrev\(\'edo\'\.\'c\'\.\'ed_4\'\.\'6e\'\.\'sab\'\);\s+\$JComponentHelper = strrev\(\'ecalp\'\.\'er\'\.\'_ge\'\.\'rp\'\);.+?\\x29\\x29\\x3B\",\"\.\"\);\s+\?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\', \'z\', \'u\', \'n\', \'c\', \'o\', \'m\', \'p\', \'r\', \'e\', \'s\', \'s\'\) ;\$.+?\) \) \) \) ; \?>/is,
     qr/<\?php echo eval\(base64_decode\(str_replace\(\'\*\',\'a\',str_replace\(\'%\',\'B\',str_replace\(\'~\',\'F\',str_replace\(\'_\',\'z\',str_replace\(\'\$\',\'x\',str_replace\(\'\@\',\'d\',str_replace\(\'^\',\'3\',str_rot13\(.+?\)\)\)\)\)\)\)\)\)\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'t\'\.chr\(114\)\.\'r\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'ced_46\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$.+?\)\)\)\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'ev\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'edo\'\.\'ced\'\.\'_46\'\.\'esa\'\.\'b\'\);\$.+?\$([A-z0-9_]{1,20})\(\'eta\'\.\'lfn\'\.\'izg\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+    qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/\" \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/index\.php\" \&\& \!empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\.\"\\\(\/\",\"II\"\.randStringfrpernames\(\)\.\"\(\",\$.+?\};\s+\?>/is,
+    qr/<\?php.+?\*\/\s+\$lyrics3size=\'\'\.\'b\'\.\'\'\.\'a\'\.\'\'\.\'se\'\.\(8768\/137\)\.\'_de\'\.\'\'\.\'c\'\.\'\'\.\'ode\';\s+\$lyrics3sizeV2 = \"ass\"; \$lyrics3sizeV2 \.= \"ert\"; \@\$lyrics3sizeV2\(\$lyrics3size\(.+?\}	\*\//is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$.+?\) \) \) \) ; \?>/is,
+    qr/<\?php \$user_agent_to_filter = array\( \"\#Ask\\s\*Jeeves\#i\", \"\#HP\\s\*Web\\s\*PrintSmart\#i\",.+?\$result = curl_exec\(\$ch\);\s+curl_close \(\$ch\);\s+echo \$result;\}\?>/is,
+    
 
 
    
diff --git a/malwaresh.pl b/malwaresh.pl
index 080deef..c4e45c0 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1318,7 +1318,13 @@ my @regexen = (
     qr/<\?php.+?\$default_charset=\'Wind\'\.\'o\.\'\.\'ws-12\'\.\'51\';\s+\$default_action=\'F\'\.\'il\'\.\'esMan\';\s+\$color=\'\#d\'\.\'f5\';\s+\$default_use_ajax=true;\s+\$JFactory = strrev\(\'edo\'\.\'c\'\.\'ed_4\'\.\'6e\'\.\'sab\'\);\s+\$JComponentHelper = strrev\(\'ecalp\'\.\'er\'\.\'_ge\'\.\'rp\'\);.+?\\x29\\x29\\x3B\",\"\.\"\);\s+\?>/is,
     qr/<\?php \$([A-z0-9_]{1,20}) = array\(\'.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'g\', \'z\', \'u\', \'n\', \'c\', \'o\', \'m\', \'p\', \'r\', \'e\', \'s\', \'s\'\) ;\$.+?\) \) \) \) ; \?>/is,
     qr/<\?php echo eval\(base64_decode\(str_replace\(\'\*\',\'a\',str_replace\(\'%\',\'B\',str_replace\(\'~\',\'F\',str_replace\(\'_\',\'z\',str_replace\(\'\$\',\'x\',str_replace\(\'\@\',\'d\',str_replace\(\'^\',\'3\',str_rot13\(.+?\)\)\)\)\)\)\)\)\)\); \?>/is,
-
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'\'\.chr\(115\)\.\'t\'\.chr\(114\)\.\'r\'\.chr\(101\)\.\'v\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'ed\'\.chr\(111\)\.\'ced_46\'\.chr\(101\)\.\'\'\.chr\(115\)\.\'\'\.chr\(97\)\.\'\'\.chr\(98\)\.\'\'\);\$.+?\)\)\)\); \?>/is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = \'s\'\.chr\(116\)\.\'r\'\.chr\(114\)\.\'ev\';\$([A-z0-9_]{1,20}) = array\(.+?\$([A-z0-9_]{1,20})\(\'edo\'\.\'ced\'\.\'_46\'\.\'esa\'\.\'b\'\);\$.+?\$([A-z0-9_]{1,20})\(\'eta\'\.\'lfn\'\.\'izg\'\);eval\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\$([A-z0-9_]{1,20})\(\'\',\$([A-z0-9_]{1,20})\)\)\)\); \?>/is,
+    qr/<\?php if\(empty\(\$_GET\[\'ineedthispage\'\]\) \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/\" \&\& \$_SERVER\[\'REQUEST_URI\'\]\!=\"\/index\.php\" \&\& \!empty\(\$_SERVER\[\'REQUEST_URI\'\]\)\) \{ini_set\(\'display_errors\',\"Off\"\);ignore_user_abort\(1\);\$.+?\.\"\\\(\/\",\"II\"\.randStringfrpernames\(\)\.\"\(\",\$.+?\};\s+\?>/is,
+    qr/<\?php.+?\*\/\s+\$lyrics3size=\'\'\.\'b\'\.\'\'\.\'a\'\.\'\'\.\'se\'\.\(8768\/137\)\.\'_de\'\.\'\'\.\'c\'\.\'\'\.\'ode\';\s+\$lyrics3sizeV2 = \"ass\"; \$lyrics3sizeV2 \.= \"ert\"; \@\$lyrics3sizeV2\(\$lyrics3size\(.+?\}	\*\//is,
+    qr/<\?php \$([A-z0-9_]{1,20}) = array\(.+?array\(\'b\' ,\'a\' ,\'s\' ,\'e\' ,\'6\' ,\'4\' ,\'_\' ,\'d\' ,\'e\' ,\'c\' ,\'o\' ,\'d\' ,\'e\'\); \$([A-z0-9_]{1,20}) = array\(\'gzu\', \'nco\', \'mpr\', \'ess\'\) ;\$.+?\) \) \) \) ; \?>/is,
+    qr/<\?php \$user_agent_to_filter = array\( \"\#Ask\\s\*Jeeves\#i\", \"\#HP\\s\*Web\\s\*PrintSmart\#i\",.+?\$result = curl_exec\(\$ch\);\s+curl_close \(\$ch\);\s+echo \$result;\}\?>/is,
+