From afb9ff928a65f171c24e1cdbc9524d830bafaee1 Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Sun, 25 Dec 2016 12:22:29 +0100
Subject: [PATCH] Update 'malware3.pl'

---
 malware3.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware3.pl b/malware3.pl
index 09e2647..0bcc4ac 100644
--- a/malware3.pl
+++ b/malware3.pl
@@ -25,6 +25,7 @@ my @regexen = (
     qr/<script.+?G91825.+?<\/script>/is,
     qr/<\?php\s+if\s+\(isset\(\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\)\s+AND\s+\$\_REQUEST\[\"([A-z0-9]{1,10})\"\]\=\=\"1\"\)\{echo\s+\"200\"\;\s+exit\;\}\s+if\(isset\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\s+\&\&\s+isset\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\s+\&\&\s+\$\_POST\[\"([A-z0-9]{1,10})\"\]\=\=.+?\)eval\(gzuncompress\(base64\_decode\(\$\_POST\[\"([A-z0-9]{1,10})\"\]\)\)\)\;\s+\?>/is,
     qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\=\"\)\)\;\s+\/\*/is,
+    qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\"\)\)\;\s+\/\*/is,
  #   qr/<\?php.+?defined\(\'ALREADY\_RUN.+?\{\s+define\(\'ALREADY\_RUN.+?Array\(.+?eval.+?\)\)\;\s+\}/is,
     qr/<\?php\s+echo\"trest\"\;error\_reporting\(0\)\;.+?val\(base64\_decode\(\$kk\)\)\;\s+echo\"abrval\"\;\s+\?>/is,
     qr/<\?php\s+\@preg\_replace\(\$\_SERVER\[\'HTTP\_X\_([A-z0-9]{1,10})\'\]\,\s+\$\_SERVER\[\'HTTP\_X\_CURRENT\'\]\,\s+\'\'\)\;\s+\?>/is,