From c2797613ef8a31d23381229cb0cdecc1f0a17f4d Mon Sep 17 00:00:00 2001
From: jvoisin
Date: Tue, 30 Jun 2015 15:25:10 +0200
Subject: Replace the $__ rule with the $___ one.

---
 malwares.yara | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/malwares.yara b/malwares.yara
index c421956..3081e15 100644
--- a/malwares.yara
+++ b/malwares.yara
@@ -54,7 +54,7 @@ private rule CloudFlareBypass
 rule ObfuscatedPhp
 {
     strings:
-        $vars = /\$__+/ // $__ is rarely used in legitimate scripts
+        $vars = /\$___+/ // $__ is rarely used in legitimate scripts
         $eval = /[;}][\t ]*@?(eval|preg_replace|system|exec)\(/  // ;eval( <- this is dodgy
         $align = /(\$\w+=[^;]*)*;\$\w+=@?\$\w+\(/  //b374k
         $oneliner = /<\?php\s*\n*\r*\s*(eval|preg_replace|system|exec)\(/
-- 
cgit v1.3