From d5f59c7a0d4d7521d6f9952cb4e71c4cde4b98a5 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 2 Dec 2017 09:19:48 +0100
Subject: [PATCH] new pattern

---
 malware4.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index 4c7d527..7118f7d 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -198,7 +198,7 @@ my @regexen = (
     qr/<\?php\s+error\_reporting\(E\_ERROR.+?\$wp\_code\s+\=.+?\?>/is,
     qr/<\?php\s+\$s\_pass\s+\=\s+\"\"\;\s+eval\(\"\\\$x\=gzin\"\.\"flate\(base\"\.\"64\_de\"\.\"code\(.+?\)\)\;\"\)\;eval\(\"\?>\"\.\$x\)\;\s+\?>/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"cr\"\.\"eat\"\.\"e\_fun\"\.\"cti\"\.\"on\"\;\$([A-z0-9]{1,20})\=\@\$([A-z0-9]{1,20})\(\'\$([A-z0-9]{1,20})\'\,\'ev\'\.\'al\'\.\'\(\"\?>\"\.gz\'\.\'inf\'\.\'late\'\.\'\(\s+bas\'\.\'e64\'\.\'\_de\'\.\'co\'\.\'de\(\$([A-z0-9]{1,20})\)\)\)\;\'\)\;\@\$([A-z0-9]{1,20}).+?\)\;/is,
-    
+    qr/<\?php\s+\$m\=\\\'bas\\\'\.chr\(101\)\.\\\'64\_d\\\'\.chr\(101\)\.\\\'cod\\\'\.chr\(101\)\;\$m\=\$m\(\$\_POST\[\\\'s\\\'\]\)\;file\_put\_contents\(\\\'a\\\'\,\\\'<\?php\s+\\\'\.\$m\)\;include\(\\\'a\\\'\)\;unlink\(\\\'a\\\'\)\;/is,
     
 );
 my @base64_decodes = (