From e7f481ae179015aa4ff57ebb3bd27a3fe63fbdc1 Mon Sep 17 00:00:00 2001 From: Palma Solutions LTD Date: Mon, 2 Apr 2018 10:48:23 +0200 Subject: [PATCH] new pattern --- malware5.pl | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/malware5.pl b/malware5.pl index f3c36a9..ca1bbf1 100644 --- a/malware5.pl +++ b/malware5.pl @@ -92,7 +92,8 @@ my @regexen = ( qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=.+?array\(.+?\$([A-z0-9]{1,20})\s+=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+([A-z0-9]{1,20})\;\$([A-z0-9]{1,20})\s+\=\s+false\;\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$([A-z0-9]{1,20})\s+\=\s+true\;\$.+?\$([A-z0-9]{1,20})\s+\=\s+\"\"\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'ba\'\s+\,\'se\'\s+\,\'64\'\s+\,\'\_d\'\s+\,\'ec\'\s+\,\'od\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gzu\'\,\s+\'nco\'\,\s+\'mpr\'\,\s+\'ess\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is, qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+array\(.+?\=\s+array\(\'b\'\s+\,\'a\'\s+\,\'s\'\s+\,\'e\'\s+\,\'6\'\s+\,\'4\'\s+\,\'\_\'\s+\,\'d\'\s+\,\'e\'\s+\,\'c\'\s+\,\'o\'\s+\,\'d\'\s+\,\'e\'\)\;\s+\$.+?\=\s+array\(\'gz\'\,\s+\'un\'\,\s+\'co\'\,\s+\'mp\'\,\s+\'re\'\,\s+\'ss\'\)\s+\;\$.+?eval\s+\(\s+\$.+?\)\s+\)\s+\)\s+\)\s+\;\s+\?>/is, - + qr/<\?php\s+\$([A-z0-9]{1,20})\s+\=\s+\'s\'\.\'t\'\.\'r\'\.\'r\'\.\'e\'\.\'v\'\;\$.+?\=\s+array\(.+?\'esab\'\)\;\$.+?\(\'edo\'\.\'lpm\'\.\'i\'\)\;\$.+?\)\.\'\'\)\;eval\(\$.+?\)\)\)\)\;\s+\?>/is, + qr/\$z\=get\_option\(\"([A-z0-9]{20,})\"\)\;\s+\$z\=base64\_decode\(str\_rot13\(\$z\)\)\;\s+if\(strpos\(\$z\,\"([A-z0-9]{1,20})\"\)\!\=\=false\)\{\s+\$\_z\=create\_function\(\"\"\,\$z\)\;\s+\@\$\_z\(\)\;\s+\}/is,