Added back Wireghoul

php-malware-finder/php.yar

@@ -312,6 +312,7 @@ rule DodgyStrings
         $ = "ipconfig" fullword nocase
         $ = "kernel32.dll" fullword nocase
         $ = "kingdefacer" nocase
+        $ = "Wireghoul" nocase fullword
         $ = "htshell" nocase fullword
         $ = "LD_PRELOAD" fullword
         $ = "libpcprofile"  // CVE-2010-3856 local root
@@ -375,4 +376,3 @@ rule Websites
     condition:
         (any of them) and not IsWhitelisted
 }
-