Virus.Multi.Ghostball.2351 or Ghostball is a multipartite virus on DOS, it is one of the first multiparite viruses ever discovered. It is actually a variant of Vienna that drops a copy of the PingPong virus on diskettes.
When an infected .com file is run, Ghostball searches for another .com file to infect in the current directory. It checks if the "seconds" field of the file's timestamp is set to 62, which means the file is already infected. If it is not, Ghostball will infect it. If the file has the read-only attribute set, the virus will remove it and replace it when it has completed the infection. It adds a JMP instruction to the beginning of the file and appends its 2,351 bytes to it. Ghostball then tries to drop a copy of the PingPong virus onto the boot sector of drive A:.
Ghostball itself is sometimes considered a variant of the Vienna virus. It is very similar to the original Vienna, especially with regard to it changing the seconds field on a file's timestamp to the impossible value of 62. Ghostball itself has few variants of its own, none of them any different from the original.
The virus gets its name from the text string contained in the virus: GhostBall, Product of Iceland. Some antivirus products may shorten the name to "Ghost". Others refer to it as "Ghostorb", as "balls" refer to testicles in American and some other dialects of English, and may be considered offensive.
Fridrik Skulason. University of Iceland, Computing Services. Reports collected and collated by PC-Virus Index: Ghostball. 1989.11.02
F-Secure Antivirus, F-Secure Virus Descriptions : GhostBall.
Kaspersky Lab Virus.Multi.Ghostball.2351.a.