From ef075ea2e204700bc6504329153c78e50d1b573c Mon Sep 17 00:00:00 2001
From: Malin <malin@cenusa.me>
Date: Thu, 19 Jan 2017 21:09:21 +0100
Subject: [PATCH] Update 'malware4.pl'

---
 malware4.pl | 1 +
 1 file changed, 1 insertion(+)

diff --git a/malware4.pl b/malware4.pl
index f49a97e..893248e 100644
--- a/malware4.pl
+++ b/malware4.pl
@@ -43,6 +43,7 @@ my @regexen = (
     qr/<\?\s+\$([A-z0-9]{1,3})\[1\]\=\"([A-z0-9]{1,20})\.html\"\;\$([A-z0-9]{1,3})\[1\]\=.+?file\_put\_contents\(\$fileaddr\,gzuncompress\(base64\_decode\(\$([A-z0-9]{1,3})\[\$([A-z0-9]{1,3})\]\)\)\)\;\}\s+unlink\(\$scr\.\"\.php\"\)\;\s+\?>/is,
     qr/<\?php\s+\$GLOBALS\[\'([A-z0-9]{1,20})\'\]\s+\=\s+\$\_SERVER\;\s+function\s+([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\).+?exit\(\$\{([A-z0-9]{1,20})\(\"lie\=\=\?\"\)\}\)\;\s+\}/is,
 	qr/eval\(base64\_decode\(\"aWY.+?include.+?eval\(base64\_decode\(\"aWY.+?include.+?ephp\"\;/is
+    qr/<\?php\s+\/\*\s+ionCube24\s+encoder\s+\*\/\s+global\s+\$g\;\s+eval\(base64\_decode\(file\_get\_contents\(\_\_FILE\_\_\,null\,null\,.+?\_\_halt\_compiler\(\).+?\Z/is,
     
 );
 my @base64_decodes = (