From a1abf0c3e6f98bf8ea2bf5f5b24be0a5e278a7df Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Thu, 20 Jul 2017 21:04:13 +0200
Subject: [PATCH] new pattern

---
 malware4.pl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index e36cdb4..4ec0d1a 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -149,6 +149,7 @@ my @regexen = (
     qr/\}\s+\}\s+\@ini\_set.+?WSO\_VERSION.+?exit\;\s+\?>/is,
     qr/<\?php\s+header\(\"Content\-type.+?\@system\(\"killall\s+\-9\s+\"\.basename\(\"\/usr\/bin\/host\"\)\)\;.+?\@system\(\"\.\/1\.sh\"\)\;\s+\?>/is,
     qr/<\?php\s+\$\{\"G.+?\=getUseragent\(\).+?\=str\_replace\(.+?\]\}\;\}\s+\?>/is,
+    qr/<\?php\s+\$s\=\@\$\_GET\[2\]\;if\(md5\(\$s\.\$s\)\=\=\"([A-z0-9]{1,32})\"\s+\&\&\s+\(\$p\=\'pr\'\.\'eg\_\'\.\'re\'\.\'place\'\)\s+\&\&\s+\(\$r\=\'str\'\.\'\_rot\'\.\'13\'\)\)\{\$p\(\'\/ad\/\'\.\'e\'\,\'\@\'\.\$r\(\'r\'\.\'in\'\.\'y\'\)\.\'\(\$\_POST\[\$s\]\)\'\,\'add\'\)\;\}\;echo\s+dirname\(\_\_FILE\_\_\)\;\?>/is,
     
 
 
@@ -160,6 +161,7 @@ my @regexen = (
 
 
 
+
 );
 my @base64_decodes = (