Computer worm is a self-replicating program that propagate itself through network connections. Along with the popularization of the Internet, it is also utilized by computer crackers as a vehicle to propagate malicious programs. Among all kinds of computer worms, email worms, which spread themselves via email, already become one with most occurrences found. Therefore, to protect computers from being compromised in the event of email worm attacks is crucial to the security of information system. The signature-based detection system deployed on mail server, in general, is unable to detect previously unknown email worm, and the anomaly-based detection system has the disadvantages of too many false alarms and too long the training time. Moreover, if users will receive email from outside web mail servers or from any sources other than the official mail servers, the detection systems deployed on mail servers are bypassed and, thus, unable to detect malicious mails. Detection capability of such system is also greatly hindered if email worms are furnished with disguise. In order to resolve these problems, we designed a behavior-based framework to be deployed on user hosts. With this framework, at the early stage of an unknown email worm outbreak, when information security service providers are yet to devise an official solution, a network environment is able to defend itself through automatic generation of the new email worm signature for malicious program scanners to use, and preventing the email worm from infecting other hosts in the organization.