From dbd0c86357ec544080c6e726bd00388693855b52 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 8 Dec 2017 11:26:17 +0100
Subject: [PATCH] fixed pattern

---
 malware4.pl | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index b70fb0c..0703249 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -202,7 +202,7 @@ my @regexen = (
     qr/<\?php\s+\@eval\(\$\_POST\[\".+?\"\]\)\;\?>/is,
     qr/if\(isset\(\$\_REQUEST\[\'sort\'\]\)\)\{\s+\$string\s+\=\s+\$\_REQUEST\[\'sort\'\]\;\s+\$array\_name\s+\=\s+\'\'\;\s+\$alphabet.+?\$ar\s+\=\s+array\(.+?foreach\(\$ar\s+as\s+\$t\)\{\s+\$array\_name\s+\.\=\s+\$alphabet\[\$t\]\;\s+\}\s+\$a\s+\=\s+strrev\(.+?\$f\s+\=\s+\$a\(\"\"\,\s+\$array\_name\(\$string\)\)\;\s+\$f\(\)\;\s+exit\(\)\;\s+\}/is,
     qr/<\?php\s+error\_reporting\(0\)\;\s+set\_time\_limit\(0\)\;.+?class\s+O\s+\{\s+private\s+\$content\_\s+\=.+?execute\(\)\;/is,
-    qr/<\?php.+?define\(\'([A-z0-9]{1,20})\'\,\s+\_\_DIR\_\_\)\;.+?\$([A-z0-9]{1,20})\=str\_ireplace\(.+?\?>/is,
+    qr/<\?php.+?\$([A-z0-9]{1,20})\=str\_ireplace\(.+?define\(\'([A-z0-9]{1,20})\'\,\s+\_\_DIR\_\_\)\;.+?\?>/is,
 );
 my @base64_decodes = (