Recent cybersecurity incidents suggest that internet worms can spread so fast that in-time human-mediated reaction is not possible, and therefore initial response to cyberattacks has to be automated. In this paper we present a system for detecting known and unknown worms using honeypots. The proposed system detects worms by monitoring connection activity and watching for patterns of traffic that are expressions of some of the essential characteristics of worm behavior. The implementation is a signature-based detection as a first tier and an anomaly-based as a second tier in the detection process. At a network's gateway, the proposed system runs a vantage point from which all traffic into and out of the network is visible. The system employs a honeypot to capture traffic, after discarding whitelisted patterns; as it automatically generates worm signatures which are matched with the signatures of the known worms stored in original database. When a signature is matched, the system reports it by issuing an alert that also includes the IP addresses involved in the transaction. Otherwise, the system monitors the changes in the performance of CPU, RAM and changes in files in the gateway which are considered as indicators to the presence of worms. The proposed system was evaluated using a dataset collected from internet for several days, and potentially showed good results for detecting and collecting information about worms from local network. It was noticed that the performance was increased up to 23% more than other systems that uses honeypots.