This　paper　presents　a　cooperative　anti-worm　system　model　based　on　distributed　honeypots　for　local　area　network(LAN).　This　model　deployes　honeypot　systems　in　DMZ,　at　the　back　of　firewall　and　in　the　internal　subnets　respectively.　Honeypot　systems　cooperate　with　intrusion　detection　system　(IDS)　and　firewall　to　prevent　the　worm　attack　from　outside　or　inside　LAN　by　the　monitor　center.　Honeypots　are　not　only　able　to　lure　a　variety　of　network　worms　and　collect　new　worm　data,　but　also　able　to　take　measures　to　prevent　worms　from　further　spreading.　The　monitoring　center　is　mainly　responsible　for　further　analyzing　the　suspicious　data　send　back　by　each　honeypot　system　and　extracting　new　type　of　worm　attack　patterns　and　then　sending　them　to　the　firewall　and　ID　agents.　The　firewall　and　ID　agents　accept　the　feedback　from　the　monitoring　center　to　update　their　own　rules,　so　they　are　able　to　respond　to　the　new　type　of　worms.　By　collaborating　between　honeypots　and　other　security　systems,　the　system　is　able　to　quickly　respond　to　a　variety　of　worm　attacks　from　outside　or　inside　LAN　and　provide　a　lot　of　evidence　for　administrators.　©2010　IEEE.