Q237918: WD97: How to Clear the Poppy Macro Virus
Article: Q237918 Product(s): Word 97 for Windows Version(s): Operating System(s): Keyword(s): kbdta wd2000 Last Modified: 11-JUN-2002 ------------------------------------------------------------------------------- The information in this article applies to: - Microsoft Word 97 for Windows ------------------------------------------------------------------------------- IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base: Q256986 Description of the Microsoft Windows Registry SUMMARY ======= This article contains information about the Poppy Macro virus and how to clear it from your computer. MORE INFORMATION ================ The Poppy Macro virus functions in the following ways: - It infects your Normal template by placing code in the Visual Basics for Applications (VBA) module called ThisDocument. - It makes changes in the registry by changing the registered user and organization. - It imports a class.sys module to the Normal.dot file. - On the fourteenth of every month after the month after May, a message box appears that says "<UserName> is a Jerk." Attempts to clear the code in the ThisDocument module will remove the virus code, but some macro storage components are left behind. The macro virus protection feature finds this information, and the warning message is displayed. For additional information, click the article number below to view the article in the Microsoft Knowledge Base: Q161515 WD97: Macro Virus Warning Displayed When No Macros Exist in File To completely clear the Poppy Macro virus, follow these steps: 1. Obtain the latest virus program (or signature file) from your anti-virus software vendor, run the program on a known infected document, and check to make sure that it appears "clean". (To contact your anti-virus software vendor, please see the "References" section later in this article.) 2. Rename the Normal template (Normal.dot file). To do this, follow these steps: a. Quit all instances of Word, including WordMail. b. On the Windows taskbar, click Start, point to Find, and click Files or Folders. c. In the Named box, type "Normal.dot" (without the quotation marks). d. In the Look in box, select your local hard disk drive (or an alternate user template location if you are running Word from a network server). e. Click Find Now to search for the file. f. For each occurrence of Normal.dot that appears in the Find dialog box, right-click the file. Click Rename on the shortcut menu. Give the file a new name, such as OldNormal.dot or Normal-1.dot. 3. Delete the Data key. NOTE: Deleting the Data key resets several options back to the default settings, including the File menu's most recently used file list, and many settings you customize in the Options dialog boxes. WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk. To delete the Data key, follow these steps: a. Quit all instances of Word, including WordMail. b. On the Windows taskbar, click the Start button and click Run. c. In the Open box, type "regedit" (without the quotation marks) and click OK. d. Locate the following key by double-clicking the appropriate folders: HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Data e. With the Data folder selected (on the left), click Delete on the Edit menu to delete the key. f. Click Yes when you are prompted to confirm the deletion. g. Quit the registry editor and restart Word. REFERENCES ========== For additional information about what to do if you think you have a Word macro virus, click the article number below to view the article in the Microsoft Knowledge Base: Q181079 WD97: What to Do If You Have a Macro Virus For information about how to contact your anti-virus application vendor, click the appropriate article number below to view the article in the Microsoft Knowledge Base: Q65416 Hardware and Software Third-Party Vendor Contact List, A-K Q60781 Hardware and Software Third-Party Vendor Contact List, L-P Q60782 Hardware and Software Third-Party Vendor Contact List, Q-Z Additional query words: symantec network associates cheyenne macafee ibm ====================================================================== Keywords : kbdta wd2000 Technology : kbWordSearch kbWord97 kbWord97Search kbZNotKeyword2 Version : : Issue type : kbinfo =============================================================================
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
Copyright Microsoft Corporation 1986-2002.