From d33d1ca1c613b9d7e299c3800aafced9688067fb Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Sun, 15 Jan 2017 13:14:54 +0100
Subject: [PATCH] Update 'malware4.pl'

---
 malware4.pl | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/malware4.pl b/malware4.pl
index 9c2bd52..a2bb3fb 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -37,6 +37,9 @@ my @regexen = (
     qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?functions+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\{return\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\}\;.+?\}\(\$url\,\s+FALSE\,\s+\$\{([A-z0-9]{1,20})\(.+?return\s+\$\{.+?\)\}\;\s+\}/is,
     qr/<\?php\s+eval\(base64\_decode\(.+?include.+?x70hp\"\;.+?include.+?x70hp\"\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?chr\(([0-9]{1,4})\).+?\)\;\s+\?>/is,
+    qr/\*\/\s+eval\(base64\_decode\(\"aWY.+?\=\"\)\)\;\s+\/\*/is,
+    qr/\*\/include\s+\/\*/is,
+    qr/\*\/\".+?\.co.+?php\"\;\/\*/is,
     
     );
 my @base64_decodes = (