In the "Everything goes round and round" and "Is there anything new" departments, I quote first from the msft-mmpc analysis:
Analysis of the Eleonore exploit pack shellcode
Eleonore shellcode locates kernel32.dll in an exploited process space...
With access to these functions, the shellcode creates a file in the temporary files folder (%TEMP%) and calls URLDownloadToFile with a URL that is 0x67 bytes after the shellcode. The shellcode then executes that file.
And from a threafire blog analysis from 2007:
Shellcode analysis - download n' exec (Analysis of wmf file buffer overflow)
Stepping into the instructions with f7 now reveals the code searching for kernel32's location in the process...
It loads urlmon and finds URLDownloadToFileA. These calls all tell us that this shellcode's functionality is download and execute - and we can observe the url strings that the code is communicating with.
Use of URLDownloadToFileA
precedes the WMF exploit. It was noticed as early as 2004 in the ANI cursor exploit:
[animated cursor exploit]
animated cursor file (1.ani):
And beginning in 2008 with the PDF exploits:
URLMON.DLL. URL DownloadToFileA. hXXp://XXXXXX.cn/load.php?
The filename "load" has always been popular, for some reason.
Continuing from the mmpc analysis:
The shellcode ends here as "load.exe" begins, with the affected computer now compromised.