Microsoft KB Archive/237918

= WD97: How to Clear the Poppy Macro Virus =

Article ID: 237918

Article Last Modified on 1/24/2007

-

APPLIES TO


 * Microsoft Word 97 Standard Edition

-



This article was previously published under Q237918



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article contains information about the Poppy Macro virus and how to clear it from your computer.



MORE INFORMATION
The Poppy Macro virus functions in the following ways:
 * It infects your Normal template by placing code in the Visual Basics for Applications (VBA) module called ThisDocument.
 * It makes changes in the registry by changing the registered user and organization.
 * It imports a class.sys module to the Normal.dot file.
 * On the fourteenth of every month after the month after May, a message box appears that says " is a Jerk."

Attempts to clear the code in the ThisDocument module will remove the virus code, but some macro storage components are left behind. The macro virus protection feature finds this information, and the warning message is displayed.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

161515 WD97: Macro Virus Warning Displayed When No Macros Exist in File

To completely clear the Poppy Macro virus, follow these steps:  Obtain the latest virus program (or signature file) from your anti-virus software vendor, run the program on a known infected document, and check to make sure that it appears "clean". (To contact your anti-virus software vendor, please see the "References" section later in this article.) Rename the Normal template (Normal.dot file). To do this, follow these steps:

 Quit all instances of Word, including WordMail. On the Windows taskbar, click Start, point to Find, and click Files or Folders. In the Named box, type Normal.dot . In the Look in box, select your local hard disk drive (or an alternate user template location if you are running Word from a network server).</li> Click Find Now to search for the file.</li> For each occurrence of Normal.dot that appears in the Find dialog box, right-click the file. Click Rename on the shortcut menu. Give the file a new name, such as OldNormal.dot or Normal-1.dot.</li></ol> </li> Delete the Data key.

NOTE: Deleting the Data key resets several options back to the default settings, including the File menu's most recently used file list, and many settings you customize in the Options dialog boxes.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:

181471 WD97: How to Reset User Options and Registry Settings

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

To delete the Data key, follow these steps:

<ol style="list-style-type: lower-alpha;"> Quit all instances of Word, including WordMail.</li> On the Windows taskbar, click the Start button and click Run.</li> In the Open box, type regedit and click OK.</li> Locate the following key by double-clicking the appropriate folders:

HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Data</li> With the Data folder selected (on the left), click Delete on the Edit menu to delete the key.</li> Click Yes when you are prompted to confirm the deletion.</li> Quit the registry editor and restart Word.</li></ol> </li></ol>

<div class="references_section">