The malware probably queries a site like whatismyipaddress.com to get the public IP of the location it's connecting through - it would be incredibly stupid and not very dangerous if it only sent the system's own IP. This would explain why TOR and VPNs could defeat it.