The malware probably queries a site like whatismyipaddress.com to get the public IP of the location it's connecting through - it would be incredibly stupid and not very dangerous if it only sent the system's own IP. This would explain why TOR and VPNs could defeat it.
Biting the hand that feeds IT
