1. Skip to navigation
  2. Skip to content
  3. Skip to secondary-content

Where You Are

  1. Labs
  2. Threats
  3. Virus and threat descriptions
  4. Sampo

Sampo

ALIAS:69, Wllop, Sanpo
ORIGIN:Philippines ?
TYPE:Resident MBR Boot sectors

Summary

The Sampo virus, also known as '69', seem to come originally from the Philippines. This boot sector virus was discovered in England and Norway in November 1994. After that, it has been reported in Hong Kong, Singapore, Australia, Finland, Belgium, USA...generally world-wide.

Additional Details

Sampo can infect a computer's hard disk only if the computer is booted from an infected diskette, in which case the virus infects the hard disk's Main Boot Record. Virus stays resident after the floppy boot. The virus also goes resident in memory the next time the computer is booted from the hard disk. Once in memory, Sampo infects all non-write protected diskettes used in the computer.

Sampo takes hold of the interrupts 08h, 09h and 13h (clock, keyboard and disk operations). When Ctrl-Alt-Del is pressed, the virus will attempt to fake a warm boot, keeping itself resident.

Sampo activates on the 30th of November, after the machine has been used for a couple of hours. Then it displays a blue box on the screen's upper corner. In the box, Sampo prints in cyan the following text : 

                 S A M P O
                "Project X"
          Copyright (c)1991 by the
          SAMPO X-Team. All rights
          reserved.
           University Of The East
                   Manila


Sampo incorporates also one peculiarity; it carries the old Kampana virus with it, and it will make clean write-protected diskettes appear to be infected with it, if they are examined while Sampo is resident. It probably does this to fool users to remove write-protection from floppies and to try to disinfect Kampana, so Sampo can infect the floppies.

Sampo virus can also be disinfected manually by cold-booting the infected machine from a boot diskette with MS-DOS 5 or 6. The FDISK utility should be copied to the boot diskette beforehand. After booting the machine, test that all hard disk partitions are visible with with DIR command. If you receive an error message like "Invalid drive specification", do not try to use FDISK to remove the virus. If all partitions can be seen then the command FDISK /MBR will overwrite the virus in the master boot record. After a succesful disinfection the machine can be booted normally again. Floppy disks can be disinfected manually by SYSing them on a clean machine.

Sampo is common all over the world.

[Analysis: Jeremy Gumbley, Symbolic & Mikko Hypponen, F-Secure]