For Consumer

Virus Profile: Ghostballs

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 10/1/1989
Date Added: 10/15/1989
Origin: Iceland
Length: 2,351 Bytes
Type: Virus
Subtype: File Infector
DAT Required: 4002
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Infection files increase in size by 2,351 bytes. The virus is located at the end of infected files.

Files infected with Ghostballs contain the following text:

"GhostBalls, Product of Iceland Copyright (c) 1989, 4418 and 5F10 MSDOS 3.2"

Symptoms of this virus are very similar to the Ping Pong virus, and random file corruption may occur on infected systems.

Methods of Infection

The only way to infect a computer with a file infecting virus is to execute an infected file on the computer. The infected file may come from a multitude of sources including: floppy diskettes, downloads through an online service, network, etc. Once the infected file is executed, the virus may activate.

Aliases

Ghostballs.1
   

Virus Characteristics

Ghostball is a file infecting virus. It infects .COM files. It alters diskette boot sectors. The Ghostballs virus is based on the code of two other viruses. The .COM infector portion consists of a modified version of the Vienna virus. The boot sector portion of the virus is based on the Ping Pong virus.

Each time a file infected with Ghostballs is executed, Ghostballs searches the current directory for an uninfected .COM file to infect. If an uninfected file is found, it is infected.

Ghostballs also alters the diskette boot sector, replacing it with viral code similar to the Ping Pong virus. This altered boot sector, however, does not replicate.

The Ghostballs virus was the first known virus that could infect both files (.COM files in this case) and disk boot sectors. After the boot sector is infected, the system experiences the bouncing ball effect of the Ping Pong virus. If the boot sector is overwritten to remove the boot viral infection, it will again become corrupted the next time an infected .COM file is executed.

Additional Comments:
The Ghostball, Ghost Boot, and Ghost COM viruses were discovered in October, 1989 by Fridrik Skulason of Iceland. The Ghostballs virus infects generic .COM files, as well as altering diskette boot sectors. When a program infected with Ghostballs is executed, Ghostballs will search the current directory for an uninfected .COM file to infect. If an uninfected program is found, it will be infected, the infection increasing the file size by 2,351 bytes. The virus will be located at the end of infected files. Programs infected with Ghostballs will contain the following text: "GhostBalls, Product of Iceland Copyright (c) 1989, 4418 and 5F10 MSDOS 3.2" Ghostballs also alters the disk boot sector, replacing it with viral code similar to the Ping Pong virus. This altered boot sector, however, will not replicate. Symptoms of this virus are very similar to the Ping Pong virus, and random file corruption may occur on infected systems. The Ghostballs virus was the first known virus that could infect both files (.COM files in this case) and disk boot sectors. After the boot sector is infected, the system experiences the bouncing ball effect of the Ping Pong virus. If the boot sector is overwritten to remove the boot viral infection, it will again become corrupted the next time an infected .COM file is executed. The Ghostballs virus is based on the code of two other viruses. The .COM infector portion consists of a modified version of the Vienna virus. The boot sector portion of the virus is based on the Ping Pong virus. To remove this virus, turn off the computer and reboot from a write protected master diskette for the system. Then use either MDisk or the DOS SYS command to replace the boot sector on the infected disk. Any infected .COM files must also be erased and deleted, then replaced with clean copies from your original distribution diskettes. Known variant(s) of Ghostballs are:

Variants

Variants information
Virus Name Type Subtype Differences
GhostBoot Virus File Infector
GhostCOM Virus File Infector
   
All Users :
Script,Batch,Macro and non memory-resident:
Use current engine and DAT files for detection and removal.

PE,Trojan,Internet Worm and memory resident :
Use specified engine and DAT files for detection. To remove, boot to MS-DOS mode or use a boot diskette and use the command line scanner:

SCANPM /ADL /CLEAN /ALL

Additional Windows ME/XP removal considerations


Users should not trust file icons, particularly when receiving files from others via P2P clients, IRC, email or other mediums where users can share files.

AVERT Recommended Updates :

* Office2000 Updates

* Malformed Word Document Could Enable Macro to Run Automatically (Information/Patch )

* scriptlet.typelib/Eyedog vulnerability patch

* Outlook as an email attachment security update

* Exchange 5.5 post SP3 Information Store Patch 5.5.2652.42 - this patch corrects detection issues with GroupShield

For a list of attachments blocked by the Outlook patch and a general FAQ, visit this link .
Additionally, Network Administrators can configure this update using an available tool - visit this link for more information .

It is very common for macro viruses to disable options within Office applications for example in Word, the macro protection warning commonly is disabled. After cleaning macro viruses, ensure that your previously set options are again enabled.