From f7a68d60e1b8a313accd79e9f3eb294eeddd3625 Mon Sep 17 00:00:00 2001
From: Palma Solutions LTD <malin@cenusa.me>
Date: Wed, 9 May 2018 14:12:19 +0200
Subject: [PATCH] new patterns

---
 .vscode/settings.json | 3 +++
 malware5.pl           | 5 ++++-
 malwaresh.pl          | 4 ++++
 3 files changed, 11 insertions(+), 1 deletion(-)
 create mode 100644 .vscode/settings.json

diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..26df38b
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+    "python.linting.enabled": false
+}
\ No newline at end of file
diff --git a/malware5.pl b/malware5.pl
index 4724bdb..1352611 100644
--- a/malware5.pl
+++ b/malware5.pl
@@ -478,7 +478,10 @@ my @regexen = (
     qr/<\?php.+?str\_replace\(\"j\"\,\"\"\,\"sjtrj\_jrjejpljajcje\"\)\;.+?\(\"i\"\,\s+\"\"\,\s+\"ibiaisie6i4i\_dieicoide\"\)\;.+?\(\"k\"\,\"\"\,\"crkekatkek\_kfkukncktkikon\"\)\;.+?\(\)\;\s+\?>/is,
     qr/GIF89a1\s+<\?php\s+\@error\_reporting\(NULL\).+?\$nowaddress\=.+?\$nowaddress.+?Upload.+?<\/form>\"\;\s+\?>/is,
     qr/<\?php\s+echo\(base64\_decode\(.+?\)\)\;\s+\?>/is,
-        
+    qr/<\?\/\*\s+eval\(base64\_decode\(+?\)\)\;\s+\*\/\s+\?>/is,
+    qr/<\?php.+?\$cache\_folder\s+\=\s+\"wtuds\"\;\s+\$template\_folder\s+\=\s+\"sotpie\"\;.+?\$user\_agent\_to\_filter\s+\=\s+array\(.+?exit\;\s+\}\s+\?>/is,
+    qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/is,
+            
 );
 
 my @base64_decodes = (
diff --git a/malwaresh.pl b/malwaresh.pl
index d789784..74e8f9f 100644
--- a/malwaresh.pl
+++ b/malwaresh.pl
@@ -961,6 +961,10 @@ my @regexen = (
     qr/<\?php.+?str\_replace\(\"j\"\,\"\"\,\"sjtrj\_jrjejpljajcje\"\)\;.+?\(\"i\"\,\s+\"\"\,\s+\"ibiaisie6i4i\_dieicoide\"\)\;.+?\(\"k\"\,\"\"\,\"crkekatkek\_kfkukncktkikon\"\)\;.+?\(\)\;\s+\?>/is,
     qr/GIF89a1\s+<\?php\s+\@error\_reporting\(NULL\).+?\$nowaddress\=.+?\$nowaddress.+?Upload.+?<\/form>\"\;\s+\?>/is,
     qr/<\?php\s+echo\(base64\_decode\(.+?\)\)\;\s+\?>/is,
+    qr/<\?\/\*\s+eval\(base64\_decode\(+?\)\)\;\s+\*\/\s+\?>/is,
+    qr/<\?php.+?\$cache\_folder\s+\=\s+\"wtuds\"\;\s+\$template\_folder\s+\=\s+\"sotpie\"\;.+?\$user\_agent\_to\_filter\s+\=\s+array\(.+?exit\;\s+\}\s+\?>/is,
+    qr/<\?php\s+ignore\_user\_abort\(\)\;.+?if\s+\(strpos\(\$inn\,\s+\"\.php\.suspected\"\)\).+?rename.+?\?>/is,
+    
 );
 
 my @base64_decodes = (