From d530f58a9b5b6d0c55fb153d2d2904c531ef5f9d Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 21 Apr 2018 11:38:45 +0200
Subject: [PATCH] new patterns

---
 malware5.pl  | 4 +++-
 malwaresh.pl | 4 +++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index 4cde6cd..068724f 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -243,7 +243,9 @@ my @regexen = (
     qr/<\?php\s+\$\{\"GLOBAL\\x.+?\"\]\,\"\"\.\$\_FILES\[\".+?\"\]\}\=str\_replace\(\".+?\"\;\}\}\s+\?>/is,
     qr/<\?php\s+\/\*\s+b374k.+?if\(isset\(\$\_COOKIE\[\'b374k\'\]\)\)\{.+?\.\$s\_name\;\s+\?><\/p>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+function\s+sgen\(\)\s+\{\$vals\s+\=\s+\"abcdefghijklmnopqrstuvwxyz\"\;\s+\$result\s+\=\s+\"\"\;\s+for\(\$i.+?\.sgen\(\)\.\"\=\"\.bin2hex\(\$\_SERVER\[.+?exit\;\s+\?>/is,
-    
+    qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;\s+\?>/is,
+    qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x\d\d.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x\d\d.+?\)\)\)\s+\$GLOBALS\[\"\\x\d\d.+?\]\=1\;\s+\}\s+\?>/is,
+
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index 66c3e2f..0323f6a 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -723,7 +723,9 @@ my @regexen = (
     qr/<\?php\s+\$\{\"GLOBAL\\x.+?\"\]\,\"\"\.\$\_FILES\[\".+?\"\]\}\=str\_replace\(\".+?\"\;\}\}\s+\?>/is,
     qr/<\?php\s+\/\*\s+b374k.+?if\(isset\(\$\_COOKIE\[\'b374k\'\]\)\)\{.+?\.\$s\_name\;\s+\?><\/p>\s+<\/body>\s+<\/html>/is,
     qr/<\?php\s+function\s+sgen\(\)\s+\{\$vals\s+\=\s+\"abcdefghijklmnopqrstuvwxyz\"\;\s+\$result\s+\=\s+\"\"\;\s+for\(\$i.+?\.sgen\(\)\.\"\=\"\.bin2hex\(\$\_SERVER\[.+?exit\;\s+\?>/is,
-
+    qr/<\?php\s+\$cookey\s+\=\s+\"([A-z0-9]{1,20})\"\;\s+preg\_replace\(\"\\x\d\d.+?\\x3b\"\)\;\s+\?>/is,
+    qr/<\?php\s+if\(\!isset\(\$GLOBALS\[\"\\x\d\d.+?\]\)\)\s+\{\s+\$ua\=strtolower\(\$\_SERVER\[\"\\x\d\d.+?\)\)\)\s+\$GLOBALS\[\"\\x\d\d.+?\]\=1\;\s+\}\s+\?>/is,
+    
 );
 
 my @base64_decodes = (