diff --git a/malware5.pl b/malware5.pl
index e88729c..cd88bb7 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -451,6 +451,8 @@ my @regexen = (
     qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/title>.+?function\s+randmail\(\).+?\$numemails\s+\=\s+count\(\$allemails\)\;.+?<\/style>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is,
     qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
+    qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
+    qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
 
     );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index a57103c..c23518d 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -934,7 +934,8 @@ my @regexen = (
     qr/<\!DOCTYPE.+?<title>\(c\)\s+private\s+mail\-worker\s+\(c\)<\/title>.+?function\s+randmail\(\).+?\$numemails\s+\=\s+count\(\$allemails\)\;.+?<\/style>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+Error\_Reporting\(E\_ALL.+?<title>FakeSender\s+by\s+POCT\s+\[FuckAV\.ru\]<\/title>.+?if\(mail\(\$to\,\s+\$subject\,\s+\$message\,\s+\$header\)\).+?\?>\s+<\/body>\s+<\/html>/is,
     qr/<\?\s+eval\(gzinflate\(str\_rot13\(base64\_decode\(.+?\)\)\)\)\;\s+\?>/is,
-    
+    qr/<\?php.+?\?>([A-z0-9]{1,20})\%([A-z0-9]{1,20})\%.+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
+    qr/<\?php.+?\$([A-z0-9]{1,20})\=\(([0-9]{1,5})\-([0-9]{1,5})\)\;\s+\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\-1\;\s+\?>/is,
 
 );