This paper presents an automatic extraction approach of worm signatures based on behavioral footprint analysis. Firstly, the suspicious worm traffic is detected based on worm behavior and is an instance of the Sequential Change Point Detection. To make the detection mechanism insensitive to site and access pattern, a non-parametric Cumulative Sum (CUSUM) method is applied, thus making the detection mechanism much more generally applicable and its deployment much easier. Secondly, worm behavioral footprint is defined and classified. The chronicle formalism is applied to correlate the footprint in suspicious worm traffic. Finally, worm signatures are extracted and ascertained by the evaluation function. The experiment shows that the approach can extract worm signatures effectively and accurately. There is a conclusion that worm behavioral footprint can't identify the worm accurately, but it helps to locate worm signatures, so signatures can be extracted effectively.