From b5a67fe36922b6ebb68c8bd53340f67a6e1c2d1b Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 2 Jun 2018 11:02:52 +0200
Subject: [PATCH] new patterns

---
 malware6.pl  | 4 ++++
 malwaresh.pl | 7 +++++--
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/malware6.pl b/malware6.pl
index 3cc19d6..c77a9ad 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -148,6 +148,10 @@ my @regexen = (
     qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
     qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,
+    qr/<\?php\s+eval \( base64_decode \(\".+?\) \); \?>\s+<!--([A-z0-9_]{20,})-->/is,
+    qr/<\?php.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
+    qr/<\?php\s+\$this->zipname = \$p_zipname.+?\$archive = new PclZip\(\"([A-z0-9_]{1,20})\.zip\"\);.+?\@unlink\(\"([A-z0-9_]{1,20})\.zip\"\);\s+die\(\"([0-9]{1,20})\"\);\s+\}/is,
+    qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$catch\(stripslashes\(\$user\)\) \&\& exit;.+?function ([A-z0-9_]{1,20})\(\)\{\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+return \"\{\$([A-z0-9_]{1,20})\}\{\$([A-z0-9_]{1,20})\}\";\s+\}\s+\?>/is,
 
 
     
diff --git a/malwaresh.pl b/malwaresh.pl
index 2f3e0f0..d6c4f26 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1133,9 +1133,12 @@ my @regexen = (
     qr/<\?php.+?\$url = \".+?\";\s+\}\s+header\(\"Location: http:\/\/\$url\"\);\s+echo \"<meta http-equiv=\\\"content-type\\\" content=\\\"text\/html; charset=UTF-8\\\">\\n\";\s+echo \"<html><head><meta http-equiv=\\\"refresh\\\" content=\\\"0;url=http:\/\/\$url\\\"><\/head><\/html>\";\s+\?>/is,
     qr/<html>\s+<head>\s+<meta http-equiv=\"refresh\" content=\"1; url=http:\/\/.+?document\.write\(\"<img src=\'\" + l + \"\'>\"\);\s+<\/script>\s+<body>\s+<h1>Loading\.\.\.<\/h1>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+header\(\"Location: http:\/\/.+?\"\);\s+die\(\);\s+\?>/is,
+    qr/<\?php\s+eval \( base64_decode \(\".+?\) \); \?>\s+<!--([A-z0-9_]{20,})-->/is,
+    qr/<\?php.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);.+?system\(\'echo \"\* \* \* \* \* wget http:\/\/\'\.\$_SERVER\[\"HTTP_HOST\"\]\.\$_SERVER\[\"REQUEST_URI\"\]\.\'\" \| crontab\'\);\s+\?>/is,
+    qr/<\?php\s+\$this->zipname = \$p_zipname.+?\$archive = new PclZip\(\"([A-z0-9_]{1,20})\.zip\"\);.+?\@unlink\(\"([A-z0-9_]{1,20})\.zip\"\);\s+die\(\"([0-9]{1,20})\"\);\s+\}/is,
+    qr/<\?php\s+extract\(\$_REQUEST\) \&\& \@\$catch\(stripslashes\(\$user\)\) \&\& exit;.+?function ([A-z0-9_]{1,20})\(\)\{\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+\$([A-z0-9_]{1,20})=\"([A-z0-9_]{20,})\";\s+return \"\{\$([A-z0-9_]{1,20})\}\{\$([A-z0-9_]{1,20})\}\";\s+\}\s+\?>/is,
 
-
-
+    
 )
 ;