Welcome to the Computer Security Wiki! You can help us by expanding stubs, create new articles and improve current articles.
You can also help us by logging-in or creating an account!


From Malware Wiki
Jump to: navigation, search
Creator4418 and 5F10
DateOctober 1989
Programming LanguageAssembly
File TypeDOS executable (.COM)
Size2,351 bytes
This box: view  talk  edit

Virus.Multi.Ghostball.2351 or Ghostball is a multipartite virus on DOS. It was the first multipartite virus ever discovered. It is actually a variant of Vienna that drops a copy of the PingPong virus on diskettes.

The virus gets its name from the text string contained in the virus: GhostBall, Product of Iceland. Some antivirus products may shorten the name to "Ghost". Others refer to it as "Ghostorb", as "balls" refer to testicles in American and some other dialects of English, and may be considered offensive.


When opened, the program searches for another .com file to infect in the current directory, It can check if the "seconds" field of the file's timestamp is set to 62, which means the file is already infected but if it wasn't, Ghostball infects it,

If the file has the read-only attribute set, the virus will remove it and replace it after the infection. It brings a JMP instruction to the beginning of the file with only 2,351 bytes. Ghostball then tries to drop a copy of the PingPong virus onto the boot sector of drive A:.


Use F-Prot, NAV, or delete the infected files and DOS SYS.


Ghostball itself is sometimes considered a variant of the Vienna virus. It is very similar to the original Vienna, especially with regard to it, changing the seconds field on a file's timestamp to the impossible value of 62. Ghostball itself has a few variants of its own, none of them are any different from the original.


Fridrik Skulason. University of Iceland, Computing Services. Reports collected and collated by PC-Virus Index: Ghostball. 1989.11.02

F-Secure Antivirus, F-Secure Virus Descriptions : GhostBall.

Kaspersky Lab Virus.Multi.Ghostball.2351.a.