What this appears to be looking for is more machines to exploit, big surprise!
I followed it back for a bit and this is what I ended up with.
sub se_yahoo {
my ($chan,$key,$nf) = @_;
sub s_engine {
my ($f,$se,$type,$chan,$bug,$dork,$ef) = @_;
sub s_cari {
#Type: 1 = Cari saja, 2 = Cari dan eksploit, 3 = Cari dan eksploit Joomla
my ($chan,$dork,$nf,$bug,$type) = @_;
sub s_scanz {
my ($to,$bug,$dork,$sb,$type,$autodom) = @_;
if (($com =~ /^scan\s+(.+?[=])\s+(.*)/) && (fork() == 0)) { s_scanz($dtarget,$1,$2,$hb,1,1); exit; }
So it will search for what ever is the second mach group in what is supplied.
There is also some other subs in here that are worth mentioning.
One uses a site http://md5.rednoize.com/ to try and find md5 sums.
Another does a geolocation lookup of the machine compromised from what I could tell.
