In this paper we propose a novel worm detection method that can detect silent worms in intranet. Most existing detection methods use aggressive activities of worms as a clue for detection and are ineffective against worms that propagate silently using a list of vulnerable hosts. To detect such worms, we propose Anomaly Connection Tree Method (ACTM). ACTM uses two features present to most worms. First is that the worms's propagation behaviour is expressed as tree-like structures. Second is that the worm's selection of infection targets does not consider which hosts its infected host communicates to frequently. Then, by constructing trees that are composed of anomaly connections, ACTM detects the existence of such worms. Through the simulation results, we have shown that ACTM can detect the worms in an early stage.