From c033ef675e580d6bad3aabe17dcd1fc12a46bf71 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 7 Jul 2017 14:05:36 +0200
Subject: [PATCH] new pattern

---
 malware4.pl | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index 33da95b..9a5e550 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -103,6 +103,8 @@ my @regexen = (
     qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\}/is,
     qr/<\?php\s+\/\*([A-z0-9]{1,20})\*\/if\(isset\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\/\*([A-z0-9]{1,20})\*\/\$P\=\/\*([A-z0-9]{1,20})\*\/\"ass\"\.\"ert\"\;\$W\=\$P\(\$\_REQUEST\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}\?>/is,
     qr/<\?php\s+if\(isset\(\$\_COOKIE\[\".+?\"\]\)\)\{\$\_COOKIE\[\".+?\"\]\(\$\_COOKIE\[\".+?\"\]\)\;exit\;\}/is,
+    qr/include\_once\s+\"3732787075626C69635F68746D6C\.htm\"\;/is,
+
 );
 my @base64_decodes = (