Abstract: A computer worm works without any user intervention. It is a self-replicating program by spreading copies of itself to other computers on the network. CodeRed I worm attack spread across the world and squandered more than twenty billion dollars. Anomaly detection systems are capable of detecting unknown worm by depending on failure connections but usually this technique suffered from high false alarm. This study developed a new technique that depended on the anomaly detection system by considered new failure connection messages that generated by using SYN scanning worm. The result of the proposed technique was detecting MSBlaster worm with zero false alarm and achieving faster detection from other techniques.