Ghostballs Virus


 Virus Name:  Ghostballs 
 Aliases:     Ghost Boot, Ghost COM, Ghostballs.1 
 V Status:    Extinct 
 Discovered:  October, 1989 
 Symptoms:    Moving graphic display; .COM file growth; file corruption; BSC 
 Origin:      Iceland 
 Eff Length:  2,351 bytes 
 Type Code:   PNCB - Parasitic Non-Resident .COM & Boot Sector Infector 
 Detection Method:  ViruScan, F-Prot, AVTK, NAV, Sweep, IBMAV, 
                    NAVDX, VAlert, PCScan, ChAV, 
                    NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, 
                    NAV/N, IBMAV/N 
 Removal Instructions: F-Prot, NAV, or 
                       delete infected files & DOS SYS 
 General Comments: 
       The Ghostball,  Ghost Boot, and Ghost COM viruses were discovered in 
       October, 1989 by Fridrik Skulason of Iceland.  The Ghostballs 
       virus infects generic .COM files, as well as altering diskette boot 
       sectors. 
 
       When a program infected with Ghostballs is executed, Ghostballs will 
       search the current directory for an uninfected .COM file to infect. 
       If an uninfected program is found, it will be infected, the infection 
       increasing the file size by 2,351 bytes. The virus will be located 
       at the end of infected files.  Programs infected with Ghostballs will 
       contain the following text: 
 
               "GhostBalls, Product of Iceland 
                Copyright (c) 1989, 4418 and 5F10 
                MSDOS 3.2" 
 
       Ghostballs also alters the disk boot sector, replacing it with viral 
       code similar to the Ping Pong virus.  This altered boot sector, 
       however, will not replicate. 
 
       Symptoms of this virus are very similar to the Ping Pong virus, and 
       random file corruption may occur on infected systems. 
 
       The Ghostballs virus was the first known virus that could infect 
       both files (.COM files in this case) and disk boot sectors. After 
       the boot sector is infected, the system experiences the bouncing 
       ball effect of the Ping Pong virus.  If the boot sector is 
       overwritten to remove the boot viral infection, it will again 
       become corrupted the next time an infected .COM file is executed. 
 
       The Ghostballs virus is based on the code of two other viruses. 
       The .COM infector portion consists of a modified version of the 
       Vienna virus.  The boot sector portion of the virus is based on the 
       Ping Pong virus. 
 
       To remove this virus, turn off the computer and reboot from a write 
       protected master diskette for the system.  Then use either MDisk or 
       the DOS SYS command to replace the boot sector on the infected 
       disk.  Any infected .COM files must also be erased and deleted, then 
       replaced with clean copies from your original distribution diskettes. 
 
       Known variant(s) of Ghostballs are: 
       Ghostballs.1: Functionally identical to the original Ghostballs 
                     virus, this variant differs by 4 bytes.

Show viruses from discovered during that infect .

Main Page