From f63d27195307a899d021f9131223157178518b0b Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Sat, 5 May 2018 11:47:52 +0200
Subject: [PATCH] bug fix

---
 malware5.pl  | 2 +-
 malwaresh.pl | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/malware5.pl b/malware5.pl
index aea4e68..b3d51a9 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -441,7 +441,7 @@ my @regexen = (
     qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
     qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/is,
     qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/is,
-    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
+    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})\).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
     qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,    
diff --git a/malwaresh.pl b/malwaresh.pl
index e23af7d..8f4415f 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -924,7 +924,7 @@ my @regexen = (
     qr/<\?php\s+eval\(gzuncompress\(base64\_decode\(.+?\)\)\)\;\s+\?>/is,
     qr/<\?php\s+eval\(stripslashes\(\@\$\_POST\[\(chr\(([0-9]{1,20})\)\.chr\(([0-9]{1,20})\)\)\]\)\)\;\?>/is,
     qr/<\?\s+\$GLOBALS\[.+?\]\=Array\(base64\_decode\(.+?\)\;return\s+base64\_decode\(\$\w\[\$\w\]\)\;\}\s+\?>/is,
-    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
+    qr/<\?php\s+\$\_\d\=\_([0-9]{1,20})\(([0-9]{1,20})\).+?\.\$\_\d\[round\(\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\+\d\.\d\)\]\,\$\_\d\,\_([0-9]{1,20})\(([0-9]{1,20})\)\)\;/is,
     qr/<\?php\s+\$([A-z0-9]{1,20})\=\"([A-z0-9]{32})\"\;\$([A-z0-9]{1,20})\=\".+?\;\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\(\$([A-z0-9]{1,20})\)\)\)\)\;\?>/is,
     qr/<\?php\s+\$command\s+\=\s+\"wget\s+http\:\/\/.+?cryptonight.+?\{\s+echo\s+execCommand\(\$command\)\;\s+\}\s+\?>/is,
     qr/<\?php\s+\$tag\s+\=\s+\'\s+\*\s+\@package\s+general\'\;\s+\$code\s+\=\s+<<<\'CODE\'\s+\*\/.+?CODE\;\s+\$injectType\s+\=\s+1\;.+?unlink\(\_\_FILE\_\_\)\;\s+\?>/is,