From ba71f2bdae0171e76919da462c443a32c0cc66f1 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 28 Apr 2018 09:02:43 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  |  9 ++++++++-
 malwaresh.pl | 10 +++++++++-
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index f717a7b..9463cd9 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -310,7 +310,14 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
     qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
     qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
-    
+    qr/<\?php\s+\/\*\*\/\s+eval\(base64\_decode\(\"aWYo.+?\)\)\;\?>/is,
+    qr/<\?php.+?\$auth\_pass.+?FilesMan.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
+    qr/<div\s+id\=\'HideMeBetter\'>.+?document\.getElementById\(\'HideMeBetter\'\)\.style\.display\s+\=\s+\'none\'\;\}<\/script>/is,
+    qr/<\!\-\-start\-add\-div\-content\-\-><p\s+class\=\"dnn\">.+?Viagra.+?<\/p><\!\-\-end\-add\-div\-content\-\->/is,
+    qr/<script\s+language\=\"JavaScript\">\s+function\s+dnnViewState\(\).+?dnnViewState\(\)\;\s+<\/script>/is,
+    qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/is,
+    qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is,
 
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 40d7352..18a0307 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -791,7 +791,15 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"PCT4BA6ODSE\_\"\;\$([A-z0-9]{1,20})\=strtolower\(\$([A-z0-9]{1,20})\[.+?\]\;if\(isset\(\$([A-z0-9]{1,20})\)\)\{eval\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\;\}\?>/is,
     qr/<\?\s+\$auth\_pass\s+\=.+?FilesMan.+?eval\(base64\_decode\(.+?return\;\s+\?>/is,
     qr/RewriteEngine\s+on\s+RewriteCond\s+\%\{HTTP\_USER\_AGENT\}\s+android\s+\[NC\,OR\].+?RewriteRule\s+\^\(\.\*\)\$\s+http\:\/\/sswim\.ru\s+\[L\,R\=302\]/is,
-
+    qr/<\?php\s+\/\*\*\/\s+eval\(base64\_decode\(\"aWYo.+?\)\)\;\?>/is,
+    qr/<\?php.+?\$auth\_pass.+?FilesMan.+?header\(\'HTTP\/1\.0\s+404\s+Not\s+Found\'\)\;\s+exit\;/is,
+    qr/<div\s+id\=\'HideMeBetter\'>.+?document\.getElementById\(\'HideMeBetter\'\)\.style\.display\s+\=\s+\'none\'\;\}<\/script>/is,
+    qr/<\!\-\-start\-add\-div\-content\-\-><p\s+class\=\"dnn\">.+?Viagra.+?<\/p><\!\-\-end\-add\-div\-content\-\->/is,
+    qr/<script\s+language\=\"JavaScript\">\s+function\s+dnnViewState\(\).+?dnnViewState\(\)\;\s+<\/script>/is,
+    qr/<\?php\s+\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\\x([A-z0-9]{2})\"\;\$\_([A-z0-9]{1,20})\=\"\\x([A-z0-9]{2}).+?\)\)\;\$\_([A-z0-9]{1,20})\(\)\;\?>/is,
+    qr/<\?php.+?Parabola.+?eval\(gzinflate\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
+    qr/<\?php\s+function\s+html\(\$data\).+?array\_unshift\(\$data\,.+?array\_push\(\$parag\,\$word\)\;.+?echo\(html\(array\(.+?\?>/is,
+    
 
 );