Most of the current detection of P2P(Peer to Peer) Botnet adopts traditional reverse engineering method, which is very accurate, but difficult to be implemented and shows low efficiency. It becomes ineffective for variants. This paper attempts to find a data stream anomaly detection method suitable to the data stream application cases, and tries to apply it to P2P Zombie Virus detection. By monitoring network data stream, the special behaviors of P2P Zombie Virus in their spreading can be found. The locating of the zombie host can be realized by capturing those behaviors.