XP and later does not execute TLS callbacks if USER32 is not loaded. this is undocumented feature that is not mentioned in the MS PE Specification and W2K does not request USER32 to process TLS callbacks, so it’s definitely a bug of XP/S2K3. just a few anti-viruses emulate TLS callbacks (Kaspersky and NOD32), but they don’t know this bug, so there is a way to bypass them. some worms have started to use this trick…

# download paper and POCs



http://nezumi-lab.org/blog/?p=15

i don't understood..
if TLS will not called, then how to use it??

Because if the AV is emulating it anyway, it might think the result is benign. Say the TLS callback just does ExitProcess or something, for example. AV emulates it, says "oh this exe is fine", virus gets by...

where is the POCs?