diff --git a/malware5.pl b/malware5.pl
index 66027af..808fcf0 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -485,6 +485,7 @@ my @regexen = (
     qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
     qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"\"\;\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\)\;.+?\$([A-z0-9]{1,20})\=array\(.+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+join\(\'\'\,\s+\$([A-z0-9]{1,20})\)\s+\)\;.+?return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
+    qr/<\?php.+?\$subject\s+\=\s+\"php\s+SSH\"\;.+?if\s+\(\$hist\_arr\)\s+\{.+?<\/BODY>\s+<\/HTML>/is,
         
 );
 
diff --git a/malwaresh.pl b/malwaresh.pl
index 43ca0fb..77cb46c 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -968,7 +968,7 @@ my @regexen = (
     qr/<\?php\s+eval\s+\(\$\_POST\[\'([A-z0-9]{1,20})\'\]\)\;\s+\?>/is,
     qr/<\?php\s+header\(.+?\$Remote\_server.+?function\s+GetHtml\(\$url\)\s+\{\s+return\s+getHTTPPage\(\$url\)\;\s+\}/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"\"\;\s+\$([A-z0-9]{1,20})\=\'([A-z0-9]{1,20})\'\.\'([A-z0-9]{1,20})\'\..+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\)\;.+?\$([A-z0-9]{1,20})\=array\(.+?\$([A-z0-9]{1,20})\=([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\s+join\(\'\'\,\s+\$([A-z0-9]{1,20})\)\s+\)\;.+?return\s+\"\{\$([A-z0-9]{1,20})\}\{\$([A-z0-9]{1,20})\}\"\;\s+\}\s+\?>/is,
-    
+    qr/<\?php.+?\$subject\s+\=\s+\"php\s+SSH\"\;.+?if\s+\(\$hist\_arr\)\s+\{.+?<\/BODY>\s+<\/HTML>/is,
 
 );