Sampo

This page shows details and results of our analysis on the malware Sampo

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

512 Bytes

Description Added

1998-11-30

Description Modified

1998-11-30

Malware Proliferation

Characteristics

Sampo is a memory resident Master Boot Record (MBR)/Boot Sector infector. MBR/Boot Sector viruses are some of the most successful viruses. They are fairly easy to write, and they take control of the computer at a low level.

Upon infection with Sampo, the virus infects the system's hard disk Master Boot Record and becomes memory resident. The Sampo virus does not corrupt saved files on an infected system.

Sampo plays a trick on users. It incorporates another virus called Kampana with it. When a user attempts to access a clean write-protected diskette, it appears that the diskette is infected with Kampana. Thus when the user unwrite-protects the diskette to disinfect it from Kampana, the Sampo virus infects the diskette.

Symptoms

November 30th acts as a trigger for the Sampo virus. On this date, Sampo displays a blue box and the following message:

"S A M P O"
"Project X"
"Copyright (c) 1991 by the SAMPO X-Team."
"All rights reserved."
"University of the East Manilla"

Total system and available free memory decreases by 512 bytes.

Because of the changes Sampo makes to the system's Master Boot Record, the user may experience problems booting the system, and difficulty accessing disk drives.

Method of Infection

The only way to infect a computer with an MBR/Boot Sector infector is to attempt to boot from an infected floppy diskette. The boot sector of the diskette has the code to determine if the diskette is bootable, and to display the "Non-system disk or disk error" message. It is this code that harbors the infection. By the time the non-system disk error message comes up, the infection has occurred. Once the virus is executed, it will infect the hard drive's MBR and may become memory resident. With every subsequent boot, the virus will be loaded into memory and will attempt to infect floppy diskettes accessed by the machine.

Removal


Windows 95/98:
Note for Windows 9x systems - during the boot process a Windows95 created boot disk will access the hard drive for information. Because of this an image of the virus may be in memory but not active.

To remove the virus, follow the following steps:
- If you use the McAfee emergency disk, hit F8 at the starting Windows 95 message, and select Step-by-step Configuration. Say yes to everything except processing the autoexec.bat file.
- At the a:, type
BOOTSCAN C: /BOOT /CLEAN /NOMEM

Windows NT/2000:
Shut down the PC and turn the power off. Obtain or create a virus free boot disk and scan disk. After booting, at the A:\ prompt, execute the following command:
BOOTSCAN C: /boot /clean

Once the virus has been removed, remove all floppy diskettes from the computer and reboot from the hard drive.

This will also clean an NTFS Master Boot Record and allow Windows NT to successfully reboot from the hard disk drive. VirusScan for DOS will not be able to read the rest of the NTFS partition. After starting Windows, execute VirusScan or NetShield to detect and clean Windows NT file infections which may exist.

Variants