Traditional signature-based method fails to identify the obfuscated malicious codes, while the dynamic method consumes a large amount of resources. Currently, most machine-learning-based detection methods cannot effectively distinguish trojan horses, worms and other malwares. Hence, we propose a new classification method based on malicious behavior features. The new method first learns specific malicious behavior sequential pattern of each malware category on the basis of the extraction of maliciousoriented instruction. The sample is projected to the new space which is composed of sequential patterns. Based on the new feature representation, a nearest neighbor classifier is constructed to classify the malicious codes. Experimental results show that the proposed method can effectively capture the malicious behavior and distinguish the differences among the behaviors of different malware categories, so as to improve the classification precision sharply.