WD97: How to Clear the Poppy Macro Virus

• Microsoft Word 97 for Windows

SUMMARY

This article contains information about the Poppy Macro virus and how to clear it from your computer.

IMPORTANT: This article contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

MORE INFORMATION

The Poppy Macro virus functions in the following ways:

• It infects your Normal template by placing code in the Visual Basics for Applications (VBA) module called ThisDocument.



• It makes changes in the registry by changing the registered user and organization.



• It imports a class.sys module to the Normal.dot file.



• On the 14th of every month after the month after May, a message box appears that says "<UserName> is a Jerk."

Q161515 WD97: Macro Virus Warning Shows When No Macros Exist in File

1. Get the latest virus program from Symantec or Network Associates, Inc., run the cleaner on a known infected document, and check to make sure it appears "clean". (To contact Symantec or Network Associates, Inc., please see "References" later in this article.)



2. Rename the Normal template (Normal.dot file).


To rename the Normal.dot file, follow these steps:
1. Quit all instances of Word, including WordMail.



2. On the Windows taskbar, click Start, point to Find, and click Files or Folders.



3. In the Named box, type "Normal.dot" (without the quotation marks).



4. In the Look in box, select your local hard disk drive (or an alternate user template location if you are running Word from a network server).



5. Click Find Now to search for the file.



6. For each occurrence of Normal.dot that appears in the Find dialog box, right-click the file. Click Rename on the shortcut menu. Give the file a new name, such as OldNormal.dot or Normal-1.dot.



3. Delete the Data key.


NOTE: Deleting the Data key resets several options back to the default settings, including the File menu's most recently used file list, and many settings you customize in the Options dialog boxes.

WARNING: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe. Note that you should back up the registry before you edit it. If you are running Windows NT, you should also update your Emergency Repair Disk (ERD).

To delete the Data key, follow these steps:

1. Quit all instances of Word, including WordMail.



2. On the Windows taskbar, click the Start button and click Run.



3. In the Open box, type "regedit" (without the quotation marks), and click OK.



4. Locate the following key by double-clicking the appropriate folders:

   HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Data




5. With the Data folder selected (on the left), click Delete on the Edit menu to delete the key.



6. Click Yes when you are prompted to confirm the deletion.



7. Quit the registry editor and restart Word normally (without using the /a switch).

REFERENCES

For information about how to contact Symantec or Network Associates, Inc. (formerly McAfee), please query in the Knowledge Base for one or more of the following articles:

Q65416 Hardware and Software Third-Party Vendor Contact List, A-K

Q60781 Hardware and Software Third-Party Vendor Contact List, L-P

Q60782 Hardware and Software Third-Party Vendor Contact List, Q-Z

Additional query words:

Keywords : kbdta wd2000 ocsso
Version : WINDOWS:97
Platform : WINDOWS
Issue type : kbinfo