|
 |
 |
 |
|
Microsoft Knowledge Base Article
This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms
of Use |
Trademarks
Article ID: 237918 - Last Review: January 24, 2007 - Revision: 1.2 WD97: How to Clear the Poppy Macro VirusThis article was previously published under Q237918 IMPORTANT: This article contains information about modifying the registry. Before you
modify the registry, make sure to back it up and make sure that you understand how to restore
the registry if a problem occurs. For information about how to back up, restore, and edit the
registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986Â
(http://kbalertz.com/Feedback.aspx?kbNumber=256986/EN-US/
)
Description of the Microsoft Windows Registry
This article contains information about the Poppy Macro virus and how to clear it from your computer.
The Poppy Macro virus functions in the following ways:
- It infects your Normal template by placing code in the Visual Basics for Applications (VBA) module called ThisDocument.
- It makes changes in the registry by changing the registered user and organization.
- It imports a class.sys module to the Normal.dot file.
- On the fourteenth of every month after the month after May, a message box appears that says "<UserName> is a Jerk."
Attempts to clear the code in the ThisDocument module will remove the virus code, but some macro storage components are left behind. The macro virus protection feature finds this information, and the warning message is displayed. For additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
161515Â
(http://kbalertz.com/Feedback.aspx?kbNumber=161515/EN-US/
)
WD97: Macro Virus Warning Displayed When No Macros Exist in File
To completely clear the Poppy Macro virus, follow these steps:
- Obtain the latest virus program (or signature file) from your anti-virus software vendor, run the program on a known infected document, and check to make sure that it appears "clean". (To contact your anti-virus software vendor, please see the "References" section later in this article.)
- Rename the Normal template (Normal.dot file). To do this, follow these steps:
- Quit all instances of Word, including WordMail.
- On the Windows taskbar, click Start, point to Find, and click Files or Folders.
- In the Named box, type Normal.dot.
- In the Look in box, select your local hard disk drive (or an alternate user template location if you are running Word from a network server).
- Click Find Now to search for the file.
- For each occurrence of Normal.dot that appears in the Find dialog box, right-click the file. Click Rename on the shortcut menu. Give the file a new name, such as OldNormal.dot or Normal-1.dot.
- Delete the Data key.
NOTE: Deleting the Data key resets several options back to the default settings, including the File menu's most recently used file list, and many settings you customize in the Options dialog boxes.
For additional information, click the article number below
to view the article in the Microsoft Knowledge Base:
181471Â
(http://kbalertz.com/Feedback.aspx?kbNumber=181471/EN-US/
)
WD97: How to Reset User Options and Registry Settings
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may
require you to reinstall your operating system. Microsoft cannot guarantee that you can solve
problems that result from using Registry Editor incorrectly. Use Registry Editor at your own
risk.
To delete the Data key, follow these steps:
- Quit all instances of Word, including WordMail.
- On the Windows taskbar, click the Start button and click Run.
- In the Open box, type regedit and click OK.
- Locate the following key by double-clicking the appropriate folders:
HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Data
- With the Data folder selected (on the left), click Delete on the Edit menu to delete the key.
- Click Yes when you are prompted to confirm the deletion.
- Quit the registry editor and restart Word.
For additional information about what to do if you think you have a Word macro virus, click the article number below
to view the article in the Microsoft Knowledge Base:
181079Â
(http://kbalertz.com/Feedback.aspx?kbNumber=181079/EN-US/
)
WD97: What to Do If You Have a Macro Virus
For information about how to contact your anti-virus application vendor, click the appropriate article number in the following list to view the article in the Microsoft Knowledge Base: 65416Â
(http://kbalertz.com/Feedback.aspx?kbNumber=65416/EN-US/
)
Hardware and Software Third-Party Vendor Contact List, A-K 60781Â
(http://kbalertz.com/Feedback.aspx?kbNumber=60781/EN-US/
)
Hardware and Software Third-Party Vendor Contact List, L-P 60782Â
(http://kbalertz.com/Feedback.aspx?kbNumber=60782/EN-US/
)
Hardware and Software Third-Party Vendor Contact List, Q-Z
APPLIES TO- Microsoft Word 97 Standard Edition
| kbdta kbinfo wd2000 KB237918 |
 Retired KB Content DisclaimerThis article was written about products for which Microsoft no longer offers support. Therefore, this article is offered "as is" and will no longer be updated. 
Community Feedback System
Very often, it takes hours to solve a problem. Very often, you've looked high
and low, and have tried a lot of solutions. When you finally found it, chances
are, it was because someone else helped you. Here's your chance to give back.
Use our community feedback tool to let others know what worked for you and what
didn't.
Please also understand that the community feedback system is not warranted to be
correct, it's simply a system that we've built to let people try and help each
other. If something in a feedback response doesn't make sense to you, or you're
not comfortable making changes that the feedback talks about (like registry
edits), please consult a professional.
Thank you for using kbAlertz.com Feedback System.
-- Scott Cate
|
|
 |
|
 |
|
|
|
| |