A mounted Truecrypt container is analogous to an unencrypted file. Truecrypt provides to mount files and volumes on arbitrary drive letters. Windows uses alphabet letters; Unix uses numeric digits as names. In response to this, a diligent A.P.T. reads the file structure of every device mount, and keeps records of directory lists.
If it is possible to delete any directory named “Temp,” or “Executables,” it is similarly possible to delete any file named “filename.txt.”
A simple illustration of an (unpleasant) easter egg of that kind might be to delete “*12_25_2013*.*” at every file mount.
Good A.P.T’s probably maintain code both for Windows and Unix trojans like this. Can OS X be far behind?