%%File: VIRS0676.TXT %%Name/Aliases: Sampo, Wllop, Turbo %%Platform: PC/MS-DOS %%Type: Boot sector., %%Disk Location: Floppy disk boot sector., Hard disk partition table. %%Features: Memory resident; TSR above TOM., Display message., Over rides several MBS virus and takes control, Stealth, Simulates warm reboot. %%Damage: On Nov. 30, displays message., Installs 'Telefonica.A' virus under specific conditions., Sends misleading messages and plays trick on users %%Size: Overlays boot sector, no increase %%See Also: Stones and its variants %%Notes: From VB March & April 1995 issues: Sampo is in the wild in England and Singapore. Its is a MBS infector or Partition Table sector infector (PT) on hard disk. It acquires 6 kbyte of memory for its code, just below the 640 kbyte of the base memory. The method of installing itself is similar to any MBS virus. It stores the original MBS in sector 14 track 0. The virus has few interesting feature; It knows several MBS viruses ( Stoned is one of them) and it carries an encrypted copy of the virus 'Telefonica.A' with itself. Before installing itself, Sampo searches for there viruses and extracts any valuable information they have obtained from the system. When it install itself on the top of the memory it overwrites all the altered make by those virus, thus, it controls the system, overriding the others. The virus is capable of surviving a warm reboot (i.e using Ctrl_Alt_Del keys). It simulates the complete process involved in the warm reboot, deceiving the user and remaining in memory. Sampo delivers its payload on ' 30 November ' about 2 hours after booting. It displays the following message: S A M P O "Project X" Copyright (c) 1991 by the Sampo X-Team. All rights reserved. University Of The East Manila Sampo is partial to floppy disk, and it attacks them with vengeance. The memory-resident Sampo attempts to infect the boot sector of a floppy disk during any read function, such as after DIR command. First, it checks for write-protection attribute. The floppy disk will be infected readily when its not write-protected. If its write-protected, then Sampo plays trick and causes trouble. It copies an image of Telefonica.A virus to the buffer and informs the user that the boot sector is infected with Telefonica.A virus, when in reality the floppy is quit clean. This message is rather misleading for the user will try to remove a virus that does not exist on the boot sector. When the boot sector of write-protected floppy disk is copied to an infected system, the boot sector of the copy will be actually infected with Telefonica.A virus. The recommended method for disinfection is to use FDISK/MBR command under clean system conditions.