Classification

Category :

Malware

Type :

Virus

Aliases :

Sampo, 69, Wllop, Sanpo

Summary

The Sampo virus, also known as '69', seem to come originally from the Philippines. This boot sector virus was discovered in England and Norway in November 1994. After that, it has been reported in Hong Kong, Singapore, Australia, Finland, Belgiëum, USA...generally world-wide.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Sampo can infect a computer's hard disk only if the computer is booted from an infected diskette, in which case the virus infects the hard disk's Main Boot Record. Virus stays resident after the floppy boot. The virus also goes resident in memory the next time the computer is booted from the hard disk. Once in memory, Sampo infects all non-write protected diskettes used in the computer.

Sampo takes hold of the interrupts 08h, 09h and 13h (clock, keyboard and disk operations). When Ctrl-Alt-Del is pressed, the virus will attempt to fake a warm boot, keeping itself resident.

Sampo activates on the 30th of November, after the machine has been used for a couple of hours. Then it displays a blue box on the screen's upper corner. In the box, Sampo prints in cyan the following text :

 S A M P O "Project X" Copyright (c)1991 by the SAMPO X-Team. All rights reserved. University Of The East Manila

Sampo incorporates also one peculiarity; it carries the old Kampana virus with it, and it will make clean write-protected diskettes appear to be infected with it, if they are examined while Sampo is resident. It probably does this to fool users to remove write-protection from floppies and to try to disinfect Kampana, so Sampo can infect the floppies.

Sampo virus can also be disinfected manually by cold-booting the infected machine from a boot diskette with MS-DOS 5 or 6. The FDISK utility should be copied to the boot diskette beforehand. After booting the machine, test that all hard disk partitions are visible with with DIR command. If you receive an error message like "Invalid drive specification", do not try to use FDISK to remove the virus. If all partitions can be seen then the command FDISK /MBR will overwrite the virus in the master boot record. After a succesful disinfection the machine can be booted normally again. Floppy disks can be disinfected manually by SYSing them on a clean machine.

Sampo is common all over the world.