This is minutiae at this point, but it scans the "local" /24. My assumption is that it scans the /24 for any interface available, so if a machine is infected with a public IP, it will start scanning machines on the public Internet. Not to mention other variations may decide to scan more aggressively.