"GhostBalls" Virus (Nov 2, 1989)
Entry...............: "GhostBalls"
Alias(es)...........: Ghost
Virus Strain........: Vienna (Dos-62)
Virus detected when.: Oct. '89
              where.: Iceland
Classification......: .COM file infecting virus/Extending/Direct/Non-Resident
Length of Virus.....: 2351 bytes added to file
--------------------- Preconditions ------------------------------------  
Operating System(s).: MS-DOS
Version/Release.....: 2.0 or higher
Computer model(s)...: IBM PC,XT,AT and compatibles
--------------------- Attributes ---------------------------------------  
Easy Identification.: .COM files: "seconds" field of the timestamp
                      changed to 62, as in the original Vienna virus.
                      Infected files end in a block of 512 zero bytes.
Type of infection...: Extends .COM files. Adds 2531 bytes to the end
                      of the file and places a JMP instruction at the
                      beginning.
                      When an infected program is run, it will search for
                      a program to infect, and also try to place a modified
                      copy of the Ping-Pong virus on the boot sector in
                      drive A.
                      The virus will remove the Read-Only attribute from
                      programs in order to infect them. It is replaced
                      afterwards.
Infection Trigger...: One .COM file in the current directory with the
                      "seconds" field not equal to 62 will be infected
                      each time an infected program is run.
Storage media affected: Boot sectors on diskettes.
Interrupts hooked...: 
Damage..............: .COM files and boot sectors modified. No permanent
                      damage.
Damage Trigger......: 
Particularities.....: The destruction of 1 program in 8 in the original
                      Vienna virus has been disabled. The Ping-Pong
                      copy placed on drive A: has been modified in two ways:
                      It will work on a '286 machine but has been patched
                      so it will not infect other diskettes. Virus contains
                      the text string:
                                "GhostBalls, Product of Iceland"
Similarities........: 
--------------------- Agents -------------------------------------------
Countermeasures.....: Any program that identifies the Vienna virus by
                      using signatures should be able to find infected files.
                      VIRSCAN (46) will identify infected files.
                      F-FCHK (by the author of this article) will 
                      identify infected files and remove the infection.
Countermeasures successful: 
Standard means......: 
--------------------- Acknowledgement ----------------------------------
Location............: University of Iceland/Computing Services
Classification by...: Fridrik Skulason  (frisk@rhi.hi.is)
Documentation by....: Fridrik Skulason
Date................: November 2, 1989
Information Source..:

.