When an infected .com file is run, Ghostball searches for another .com file to infect in the current directory. It checks if the "seconds" field of the file's timestamp is set to 62, which means the file is already infected. If it is not, Ghostball will infect it. If the file has the read-only attribute set, the virus will remove it and replace it when it has completed the infection. It adds a JMP instruction to the beginning of the file and appends its 2,351 bytes to it. Ghostball then tries to drop a copy of the PingPong virus onto the boot sector of drive A:.
| Attributes | Values |
|---|---|
| rdf:type | |
| rdfs:label |
|
| rdfs:comment |
|
| dcterms:subject | |
| dbkwik:malware/pro...iPageUsesTemplate | |
| Date |
|
| Origin |
|
| Platform |
|
| Name |
|
| Type |
|
| pl |
|
| filetype |
|
| AKA |
|
| Creator |
|
| Size |
|
| abstract |
|