From cf362b6983cf1bfc1c7fd1dc9166c20ef6269f5d Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 16 Mar 2018 19:26:58 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware4.pl b/malware4.pl
index a90e442..0e2b500 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -373,6 +373,7 @@ my @regexen = (
     qr/<\?php\s+if\s+\(isset\(\$\{\"\_R\"\.\"EQ\"\.\"UE\"\.\"ST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"assert\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
     qr/<\?php\s+if\/\*([A-z0-9]{1,20})\*\/\(isset\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\)\/\*([A-z0-9]{1,20})\*\/\{\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\(\$\_COOKIE\[\"([A-z0-9]{1,20})\"\]\)\;\/\*([A-z0-9]{1,20})\*\/exit\;\/\*([A-z0-9]{1,20})\*\/\}\/\*([A-z0-9]{1,20})\*\//is,
     qr/<\?php\s+if\s+\(isset\(\$\{\"\_REQU\"\.\"EST\"\}\[\'([A-z0-9]{1,20})\'\]\)\)\{\$([A-z0-9]{1,20})\=\"asse\"\.\"rt\"\;\$([A-z0-9]{1,20})\(\$\{\"\_REQUEST\"\}\[\'([A-z0-9]{1,20})\'\]\)\;exit\;\}/is,
+    qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\=Array\(\)\;global\$([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\=\$GLOBALS\;\$\{.+?\$([A-z0-9]{1,20})\)\;\}\}\s+\?>/is,
 );
 
 my @base64_decodes = (