Threat Description

Sampo

Details

Aliases:Sampo, 69, Wllop, Sanpo
Category:Malware
Type:Virus
Platform: W32

Summary



The Sampo virus, also known as '69', seem to come originally from the Philippines. This boot sector virus was discovered in England and Norway in November 1994. After that, it has been reported in Hong Kong, Singapore, Australia, Finland, Belgium, USA...generally world-wide.



Removal


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More

You may wish to refer to the Support Community for further assistance. You also may also refer to General Removal Instructions for a general guide on alternative disinfection actions.



Technical Details



Sampo can infect a computer's hard disk only if the computer is booted from an infected diskette, in which case the virus infects the hard disk's Main Boot Record. Virus stays resident after the floppy boot. The virus also goes resident in memory the next time the computer is booted from the hard disk. Once in memory, Sampo infects all non-write protected diskettes used in the computer.

Sampo takes hold of the interrupts 08h, 09h and 13h (clock, keyboard and disk operations). When Ctrl-Alt-Del is pressed, the virus will attempt to fake a warm boot, keeping itself resident.

Sampo activates on the 30th of November, after the machine has been used for a couple of hours. Then it displays a blue box on the screen's upper corner. In the box, Sampo prints in cyan the following text :

S A M P O
"Project X"
Copyright (c)1991 by the
SAMPO X-Team. All rights
reserved.
University Of The East
Manila

Sampo incorporates also one peculiarity; it carries the old Kampana virus with it, and it will make clean write-protected diskettes appear to be infected with it, if they are examined while Sampo is resident. It probably does this to fool users to remove write-protection from floppies and to try to disinfect Kampana, so Sampo can infect the floppies.

Sampo virus can also be disinfected manually by cold-booting the infected machine from a boot diskette with MS-DOS 5 or 6. The FDISK utility should be copied to the boot diskette beforehand. After booting the machine, test that all hard disk partitions are visible with with DIR command. If you receive an error message like "Invalid drive specification", do not try to use FDISK to remove the virus. If all partitions can be seen then the command FDISK /MBR will overwrite the virus in the master boot record. After a succesful disinfection the machine can be booted normally again. Floppy disks can be disinfected manually by SYSing them on a clean machine.

Sampo is common all over the world.





Technical Details: Jeremy Gumbley, Symbolic & Mikko Hypponen, F-Secure


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More