From 3ac218cb3a4b33cc2d9a98860ed87480a307169e Mon Sep 17 00:00:00 2001
From: Julien Voisin
Date: Thu, 23 Apr 2015 18:28:24 +0200
Subject: Add a rule for dodgy variables

---
 malwares.yara | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/malwares.yara b/malwares.yara
index f764de5..dc1a6cd 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -61,8 +61,9 @@ rule ObfuscatedPhp
         $weevely3 = /\$\w=\$[a-zA-Z]\('',\$\w\);\$\w\(\);/  // weevely3 launcher
         $launcher = /;\$\w+\(\$\w+(,\s?\$\w+)+\);/  // http://bartblaze.blogspot.fr/2015/03/c99shell-not-dead.html
         $danone = /\$s20=strtoupper\((\$[0-9A-Za-z]{1,4}\[\d+\]\.){2,9}[^\)]*\);if/
+        $strange_arg = /\${\$[0-9a-zA-z]+}/
     condition:
-        IsPhp and ($align or $oneliner or $eval or $launcher or #vars > 5 or $weevely3 or $danone)
+        IsPhp and ($align or $oneliner or $eval or $launcher or $strange_arg or #vars > 5 or $weevely3 or $danone)
 }
 
 private rule base64
@@ -132,7 +133,7 @@ rule DangerousPhp
         $k = "win_shell_execute" fullword
         $l = "win32_create_service" fullword
         $m = "posix_getpwuid" fullword
-        $n = "shmop_open" fullword
+        $n = "shm_open" fullword
         $o = "assert" fullword
         $p = "fsockopen" fullword
         $q = "function_exists" fullword
-- 
cgit v1.3