Category: Malware

Type: Virus

Aliases: Sampo, 69, Wllop, Sanpo


The Sampo virus, also known as '69', seem to come originally from the Philippines. This boot sector virus was discovered in England and Norway in November 1994. After that, it has been reported in Hong Kong, Singapore, Australia, Finland, Belgiëum, USA...generally world-wide.


Automatic action

Based on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the detected program or file, or ask you for a desired action.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

Sampo can infect a computer's hard disk only if the computer is booted from an infected diskette, in which case the virus infects the hard disk's Main Boot Record. Virus stays resident after the floppy boot. The virus also goes resident in memory the next time the computer is booted from the hard disk. Once in memory, Sampo infects all non-write protected diskettes used in the computer.

Sampo takes hold of the interrupts 08h, 09h and 13h (clock, keyboard and disk operations). When Ctrl-Alt-Del is pressed, the virus will attempt to fake a warm boot, keeping itself resident.

Sampo activates on the 30th of November, after the machine has been used for a couple of hours. Then it displays a blue box on the screen's upper corner. In the box, Sampo prints in cyan the following text :

 S A M P O "Project X" Copyright (c)1991 by the SAMPO X-Team. All rights reserved. University Of The East Manila

Sampo incorporates also one peculiarity; it carries the old Kampana virus with it, and it will make clean write-protected diskettes appear to be infected with it, if they are examined while Sampo is resident. It probably does this to fool users to remove write-protection from floppies and to try to disinfect Kampana, so Sampo can infect the floppies.

Sampo virus can also be disinfected manually by cold-booting the infected machine from a boot diskette with MS-DOS 5 or 6. The FDISK utility should be copied to the boot diskette beforehand. After booting the machine, test that all hard disk partitions are visible with with DIR command. If you receive an error message like "Invalid drive specification", do not try to use FDISK to remove the virus. If all partitions can be seen then the command FDISK /MBR will overwrite the virus in the master boot record. After a succesful disinfection the machine can be booted normally again. Floppy disks can be disinfected manually by SYSing them on a clean machine.

Sampo is common all over the world.