Threat description




The Sampo virus, also known as '69', seem to come originally from the Philippines. This boot sector virus was discovered in England and Norway in November 1994. After that, it has been reported in Hong Kong, Singapore, Australia, Finland, Belgiëum, USA...generally world-wide.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Sampo can infect a computer's hard disk only if the computer is booted from an infected diskette, in which case the virus infects the hard disk's Main Boot Record. Virus stays resident after the floppy boot. The virus also goes resident in memory the next time the computer is booted from the hard disk. Once in memory, Sampo infects all non-write protected diskettes used in the computer.

Sampo takes hold of the interrupts 08h, 09h and 13h (clock, keyboard and disk operations). When Ctrl-Alt-Del is pressed, the virus will attempt to fake a warm boot, keeping itself resident.

Sampo activates on the 30th of November, after the machine has been used for a couple of hours. Then it displays a blue box on the screen's upper corner. In the box, Sampo prints in cyan the following text :

 S A M P O "Project X" Copyright (c)1991 by the SAMPO X-Team. All rights reserved. University Of The East Manila

Sampo incorporates also one peculiarity; it carries the old Kampana virus with it, and it will make clean write-protected diskettes appear to be infected with it, if they are examined while Sampo is resident. It probably does this to fool users to remove write-protection from floppies and to try to disinfect Kampana, so Sampo can infect the floppies.

Sampo virus can also be disinfected manually by cold-booting the infected machine from a boot diskette with MS-DOS 5 or 6. The FDISK utility should be copied to the boot diskette beforehand. After booting the machine, test that all hard disk partitions are visible with with DIR command. If you receive an error message like "Invalid drive specification", do not try to use FDISK to remove the virus. If all partitions can be seen then the command FDISK /MBR will overwrite the virus in the master boot record. After a succesful disinfection the machine can be booted normally again. Floppy disks can be disinfected manually by SYSing them on a clean machine.

Sampo is common all over the world.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info