From 2c578c49bd4d0cc52e3c7106ac847ae75b5ca7e3 Mon Sep 17 00:00:00 2001
From: Giovanni <561184+wargio@users.noreply.github.com>
Date: Sun, 17 Jan 2021 10:30:28 +0100
Subject: [PATCH] Added back Wireghoul

---
 php-malware-finder/php.yar | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/php-malware-finder/php.yar b/php-malware-finder/php.yar
index 75361c9..9ecb1ad 100644
--- a/php-malware-finder/php.yar
+++ b/php-malware-finder/php.yar
@@ -312,6 +312,7 @@ rule DodgyStrings
         $ = "ipconfig" fullword nocase
         $ = "kernel32.dll" fullword nocase
         $ = "kingdefacer" nocase
+        $ = "Wireghoul" nocase fullword
         $ = "htshell" nocase fullword
         $ = "LD_PRELOAD" fullword
         $ = "libpcprofile"  // CVE-2010-3856 local root
@@ -375,4 +376,3 @@ rule Websites
     condition:
         (any of them) and not IsWhitelisted
 }
-