From ab7a52369ecd24f8df01a7892cf168a8e27805d7 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 17 Jan 2018 13:08:02 +0100
Subject: [PATCH] new pattern

---
 malware4.pl | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index 8079260..34fa891 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -267,7 +267,8 @@ my @regexen = (
     qr/<\?php\s+\/\*\s+VTY\s+\-\s+Database\s+Manager\s+For\s+Mysql.+?\$vty\->BitimIslemleri\(\)\;\s+exit\;\s+\}\s+\?>\s+<\?php.+?class\s+dug\s+\{.+?function\s+menu\(\)\{\s+\?>\s+<table.+?\}\/\/class\:db\s+\?>/is,
     qr/\$([A-z0-9]{1,20})\=\"\-1\(.+?\$([A-z0-9]{1,20})\=array\(\"([A-z0-9]{1,20})\"\=>\".+?\"\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\"\"\,\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;if\(\$([A-z0-9]{1,20})\(\@\$([A-z0-9]{1,20})\[\$([A-z0-9]{1,20})\]\)\=\=\$([A-z0-9]{1,20})\)\$([A-z0-9]{1,20})\(\)\;/is,
     qr/\/\*([A-z0-9]{1,10})\*\/\s+\@include\s+\"\\x.+?\"\;\s+\/\*([A-z0-9]{1,10})\*\//is,
-
+    qr/<\?php\s+\$([A-z0-9]{1,10})\s+\=.+?\$\_([A-z0-9]{1,10})\s+\=\s+create\_function\s+\(\'\$([A-z0-9]{1,10})\'\,\s+([A-z0-9]{1,10})\s+\(base64\_decode\s+\(.+?\)\,\s+\$\_COOKIE\s+\[str\_replace\(\'\.\'\,\s+\'\_\'\,\s+\$\_SERVER\[\'HTTP\_HOST\'\]\)\]\)\s+\.\s+\'\;\'\)\;\s+\$\_([A-z0-9]{1,10})\(\$([A-z0-9]{1,10})\)\;\s+function\s+([A-z0-9]{1,10})\s+\(\$([A-z0-9]{1,10})\,\s+\$([A-z0-9]{1,10})\)\s+\{\s+return\s+\$([A-z0-9]{1,10})\s+\^\s+str\_repeat\s+\(\$([A-z0-9]{1,10})\,\s+ceil\s+\(strlen\s+\(\$([A-z0-9]{1,10})\)\s+\/\s+strlen\s+\(\$([A-z0-9]{1,10})\)\)\)\;\s+\}\s+\?>/is,
+    
 
 );