From e3bad2afa70b13add6724e7a7267f3af9bc74ce9 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Fri, 12 Jan 2018 11:32:11 +0100
Subject: [PATCH] new patterns

---
 malware4.pl | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/malware4.pl b/malware4.pl
index 2a5d704..1c1b4a8 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -255,9 +255,11 @@ my @regexen = (
     qr/<\?php\s+\$([A-z0-9]{1,20})\=.+?\.chr\(([0-9]{1,10})\).+?\$([A-z0-9]{1,20})\=\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\,\$([A-z0-9]{1,20})\)\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\;\s+\?>/is,
     qr/<\?php\s+error\_reporting\(0\)\;\s+\$domain\s+\=\s+\'gas\.liveupdates\.host\'\;.+?header\(\'Location\:\s+\'\.\$location\.\'\&\'\.\$m\,\s+TRUE\,\s+302\)\;\s+\}/is,
     qr/<\?php\s+header\(\'Content\-Type\:text\/html\;\s+charset\=UTF\-8\'\)\;\s+\@set\_time\_limit\(0\)\;\s+define\(\'PASSWORD\_FILE\'\,\s+\'p\.txt\'\)\;.+?if\(\!file\_exists\(PASSWORD\_FILE\)\)\s+\{.+?\?>\s+<\/body>\s+<\/html>/is,
-    
+    qr/<\?php\s+\@error\_reporting\(0\)\;.+?function\s+Send\(\)\{.+?\$replyto\=check\_gmail\(\$replyto\)\;.+?return\s+\$result\.\'\@gmail\.com\'\;\s+\}\s+\?>/is,
+    qr/\"\s+\.\s+base64\_decode\(\"\'\.\$wp\_code\.\'\"\)\)\;\s+\?>\'\;\s+\$wp\_dec\_file\s+\=\s+base64\_decode\(\$wp\_code\)\;.+?\/\/print\s+PLATFORM\;\s+\/\/print\_r\(\$all\_dirs\)\;\s+\?>/is,
 
 );
+
 my @base64_decodes = (