diff --git a/malware6.pl b/malware6.pl
index c7d4b04..36c7127 100644
--- a/malware6.pl
+++ b/malware6.pl
@@ -106,6 +106,7 @@ my @regexen = (
     qr/<\?php \@passthru\(\"cd \/tmp; wget http:\/\/+?\?>/is,
     qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
     qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
+    qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,
 
 
     
diff --git a/malwaresh.pl b/malwaresh.pl
index 4681378..0e7ed2f 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -1091,6 +1091,7 @@ my @regexen = (
     qr/<\?php \@passthru\(\"cd \/tmp; wget http:\/\/+?\?>/is,
     qr/<\?php exec\(\"wget http:\/\/.+?\?>/is,
     qr/<\?php+?elseif\(function_exists\(\"passthru\"\)\)\{.+?fclose\(\$handle\);.+?echo ex\(\"cd \/dev\/shm;rm -rf ([A-z0-9_]{1,20})\.txt\"\);\s+\?>/is,
+    qr/<\?php.+?if \(isset\(\$_GET\[\"cookie\"\]\)\) \{ echo \'cookie=4\'; if \(isset\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\) \@eval\(base64_decode\(\$_POST\[\"([A-z0-9_]{1,20})\"\]\)\); exit; \}.+?\?>/is,