From d45f3ff403cbe57e119c1c37367c079b3ed8c0e1 Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Wed, 18 Jan 2017 21:23:45 +0100
Subject: [PATCH] Update 'malware4.pl'

---
 malware4.pl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/malware4.pl b/malware4.pl
index da6d5a3..ed8f0e7 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -41,8 +41,9 @@ my @regexen = (
     qr/\*\/include\s+\/\*/is,
     qr/\*\/\".+?\.co.+?php\"\;\/\*/is,
     qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents\(\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]\)\)\)\;\}\s+unlink\(\$scr\.\"\.php\"\)\;\s+\?>/is,
-    
-    );
+    qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?exit\(\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"\)\}\)\;\s+\}/is,
+
+);
 my @base64_decodes = (