Same pattern found here:
http://urlquery.net/report.php?id=81490princess-sales dot net/main.php?page=3eeb1d64e259a3cf
status: (referer=htxp:/twitter.com/trends/)saved 62768 bytes 93b5ded79fcc2b1a3e5e6bcf509fb3e2c7a4e62cfailure: [Errno 13] Permission denied: '/var/wXw/maliciousips.txt'
info: [decodingLevel=0] found JavaScript
info: DecodedGenericCLSID detected CA8A9780-280D-11CF-A24D-444553540000 BD96C556-65A3-11D0-983A-00C04FC29E36 d27cdb6e-ae6d-11cf-96b8-444553540000 D27CDB6E-AE6D-11CF-96B8-444553540000
malicious: Alert detected /alert CVE-2006-0003 shellexecute with ./../44c9f31.ex-
file: 93b5ded79fcc2b1a3e5e6bcf509fb3e2c7a4e62c: 62768 bytes
file: a79e179909484d491a47ac37cc5d65743a8792a3: 16757 bytes
polonus