Virus Name: Ghostballs
Aliases: Ghost Boot, Ghost COM, Ghostballs.1
V Status: Extinct
Discovered: October, 1989
Symptoms: Moving graphic display; .COM file growth; file corruption; BSC
Eff Length: 2,351 bytes
Type Code: PNCB - Parasitic Non-Resident .COM & Boot Sector Infector
Detection Method: ViruScan, F-Prot, AVTK, NAV, Sweep, IBMAV,
NAVDX, VAlert, PCScan, ChAV,
NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N,
Removal Instructions: F-Prot, NAV, or
delete infected files & DOS SYS
The Ghostball, Ghost Boot, and Ghost COM viruses were discovered in
October, 1989 by Fridrik Skulason of Iceland. The Ghostballs
virus infects generic .COM files, as well as altering diskette boot
When a program infected with Ghostballs is executed, Ghostballs will
search the current directory for an uninfected .COM file to infect.
If an uninfected program is found, it will be infected, the infection
increasing the file size by 2,351 bytes. The virus will be located
at the end of infected files. Programs infected with Ghostballs will
contain the following text:
"GhostBalls, Product of Iceland
Copyright (c) 1989, 4418 and 5F10
Ghostballs also alters the disk boot sector, replacing it with viral
code similar to the Ping Pong virus. This altered boot sector,
however, will not replicate.
Symptoms of this virus are very similar to the Ping Pong virus, and
random file corruption may occur on infected systems.
The Ghostballs virus was the first known virus that could infect
both files (.COM files in this case) and disk boot sectors. After
the boot sector is infected, the system experiences the bouncing
ball effect of the Ping Pong virus. If the boot sector is
overwritten to remove the boot viral infection, it will again
become corrupted the next time an infected .COM file is executed.
The Ghostballs virus is based on the code of two other viruses.
The .COM infector portion consists of a modified version of the
Vienna virus. The boot sector portion of the virus is based on the
Ping Pong virus.
To remove this virus, turn off the computer and reboot from a write
protected master diskette for the system. Then use either MDisk or
the DOS SYS command to replace the boot sector on the infected
disk. Any infected .COM files must also be erased and deleted, then
replaced with clean copies from your original distribution diskettes.
Known variant(s) of Ghostballs are:
Ghostballs.1: Functionally identical to the original Ghostballs
virus, this variant differs by 4 bytes.