Abstract: A new concept of system API calling characteristics set of malicious codes is given.According to the feature of same API calling of the different malicious codes for the same malicious functions, the new extraction and analysis methods of malicious code characteristics which based on the set of API calling is put forward.The method uses set operations to obtain function characteristics set, calculates the membership degree between unknown malicious code and known malicious code families by fuzzy clustering and entropy method, then judges the family of unknown malicious code by the principle of max membership degree, At last, an example is given to verify the method.The proposed method can be realized easily and automatically without any manual intervene.